Re: Event Log ID 538 and 540 continous

Tech-Archive recommends: Speed Up your PC by fixing your registry

From: Robert Kellogg (DuPont24_03_at_msn.com)
Date: 04/07/04 

Date: Wed, 7 Apr 2004 11:47:02 -0700

Hello Merv,

Thanks again for your response..

I finally figured out how to edit the Group Policies, so I turned off all
editing just to see if it would stop, and it did... But this is the weird
part...

The Domain functional level is Windows Server 2003
The Forest functional level is Windows 2000

I have in the root of the forest a Default Domain policy which I can make
audit changes with 4 other policies

Then I have a container called Domain Controllers with two policies housed
in it..
    Default Domain Controllers Policy
    Samll Business Server Auditing Policy

I can make the same changes to all of these auditing section of these
policies but none of them reflect changes between each other.. So if I
change one I have to change the other...

Are some of these Links inheritence of SBS2000 when i upgraded?

Then I have another container called Group Policy Objects which house all 7
policies. But are not shown as links.

Also when i edit these policies a lot of the values say NOT DEFINED, but
then I check the define box then default or current setting is applied... I
think this is a major problem with the Policies when doing and in place
upgrade...

This would probably explain my other problems with current users not able to
access their mailboxes via OWA. If I create a new user it can access its
mailbox via OWA or if I detach the mailbox from a current user, delete the
account, and then recreate that user and reconnect the mailbox all is good,
except I have then lost the users profile and will not logon to the DC with
all XP profile... But thats another issue... I bet is has to do with the
GPO..

Thanks

Robert

"Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote in message
news:%23W4ahpCHEHA.740@tk2msftngp13.phx.gbl...
> I believe the Default Domain Controller Security Settings for SBS 2003 are
> set to 'Success' for "Audit Logon Events" and "Audit Account Logon"
events.
> Turning on "Audit Logon Events" may generate a large log (on my test
server,
> the log currently stands at 19 MB and 538/540 events appear to be logged
> every few seconds). The default (maximum) size for the Security log is 65
> MB. For the Application and System logs, the default is 16 MB. Seems
like
> this indicates that you need to be prepared for a lot of events in the
> Security log.
>
> You may be able to switch to only activating "Audit Account Logon Events"
> (not sure of the security implications here). From what I gather, "Audit
> Logon Events" will log ALL activity both at the workstation(s) and domain
> controller level and create an entry in the log for either of these. The
> number of logged events may get pretty high given 'system' account
activity
> in the domain.
>
> "Audit Account Logon Events" will only look for audit events when
> authenticating an account involves the domain controller (not the
> workstation).
>
> This thread may explain the difference a little better...
>
http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&oe=UTF-8&threadm=upm1q%2349BHA.2596%40tkmsftngp05&rnum=1&prev=/groups%3Fq%3Daudit%2520account%2520logon%2520vs%2520audit%2520logon%26hl%3Den%26lr%3D%26ie%3DUTF-8%26oe%3DUTF-8%26sa%3DN%26tab%3Dwg
>
>
> --
> Merv Porter [SBS MVP]
> ===================================
> "Robert Kellogg" <DuPont24_03@msn.com> wrote in message
> news:ehuamvBHEHA.3700@TK2MSFTNGP09.phx.gbl...
> > Hello Merv
> >
> > Thanks for the response..
> >
> > I checked the Security settings "Local Policies / Audit Policy" and the
> only
> > thing I am audting is "Audit logon events - Success, Failures".. Which
I
> > need to for illegel logons or attempted attacks on a accounts...
> >
> > So i could turn this off in the mean time just to see if these entries
> stop,
> > but that still is not going to tell me why there are repeated entries
> > showing up in the Event Viewer from this Audit Policy.... Its like the
> user
> > or client is logging on and off every sec... Oh and there is SYSTEM
> entries
> > in their too, so the server is doing it on its own audit policy..
> >
> > regards,
> >
> > Robert
> >
> >
> >
> > "Merv Porter [SBS-MVP]" <mwport@hotmail.com_no_spam> wrote in message
> > news:%23DO0fhAHEHA.2236@TK2MSFTNGP11.phx.gbl...
> > > In your group policies, are you auditing all events (Audit Logon
Events)
> > or
> > > just success/fail logons? I think Audit Logon Events might list
> > everything
> > > that happens on your server.
> > >
> > > --
> > > Merv Porter [SBS MVP]
> > > ===================================
> > > "Robert Kellogg" <DuPont24_03@msn.com> wrote in message
> > > news:#CRrwIAHEHA.2012@TK2MSFTNGP09.phx.gbl...
> > > > I have been exp numerous 538 and 540 enteries in my Security Event
> > Viewer
> > > > ever since I did and SBS2003 in-place upgrade from SBS2000.
> > > >
> > > > The entries seem to be random for any user or client also. The rate
> of
> > > > growth has been up to 10,000 entries in an 8hr work day.
> > > >
> > > > Now I have also noticed that these entires exsist even if the users
> are
> > > > logged off the network but there will be repeated logon/logoff (538
> and
> > > 540)
> > > > entries in the event viewer but they will be of the client machine
> (i.e.
> > > > computername$).
> > > >
> > > > Also they are all Logon type 3 and processes is Kerberos..
> > > >
> > > > What would be causing this.. I can't seem to find anything expect
an
> > > > article about Event ID 576 fills log... Not very helpful..
> > > >
> > > > Thanks
> > > >
> > > > Robert
> > > >
> > > >
> > >
> > >
> >
> >
>
>

Relevant Pages

  • Re: Default Domain Policy Doesnt Apply
    ... Also to add that Group Policies are by default applied in this ... level will be overriden by any defined settings at the site, domain, OU ... account policies] are not being applied to the domain controllers since they ... > password and lockout policy can ony be set at the domain level for domain ...
    (microsoft.public.win2000.group_policy)
  • Re: Exchange 2007 E-Mail Address Policy Question
    ... When you move mailboxes to 2007 policies are reapplied; ... was only one recipient policy on the 2003 side? ... We are currently running a mixed Exchange 2003/Exchange 2007 environment, ... the 03 environment to an 07 mailbox server, ...
    (microsoft.public.exchange.admin)
  • Re: Mailbox Manager Policies not working
    ... So I've created 3 different Mailbox Policies to do this. ... If all you want the filter to find is the mailbox with the ... property value of the Mailbox Manager Policy. ...
    (microsoft.public.exchange.admin)
  • Re: Enforing AH to force logon to domain
    ... I have not done that however ipsec negotiation policies are not supported between ... domain members and domain controllers as described in the KB link below, ... addresses to a filter rule within the policy with a permit filter action. ... It might work to an Exchange server. ...
    (microsoft.public.win2000.group_policy)
  • Re: PASSFILT.DLL
    ... Default Domain Controllers Policy ... Password Policies ... What password policy settings did you implement, ...
    (microsoft.public.win2000.security)