RE: Logon Issue - could someone explain please

Hello Alex,

Thank you for posting here.

According to your description, I understand that you get security event 540
on SBS. If I have misunderstood the problem, please don't hesitate to let
me know.

Based on my research, event 540 indicates that a remote user has
successfully connected from the network to a local resource on the server,
generating a token for the network user. When a user logs onto his or her
computer, Success Audit for Event ID 540 will be recorded on the Domain
Controller. When a user connects to the shared folder on the SBS server,
Success Audit for Event ID 540 will also be recorded.

I suggest we try the following steps to see if we can resolve this issue:

Method 1:
On servers having issue run the following steps
1) log on as an admin
2) from a command prompt, enter "at [time] /interactive cmd.exe", where
[time] is
some time in the near future
3) Switch to the new command prompt that launches
4) Change to c:\windows\system32\wbem
5) Execute "mofcomp scm.mof"

Method 2:
SBS 2003 creates a GPO on the Domain Controllers container named Small
Business Server Auditing Policy. Logon Events are audited for Success and
Failure by default. These events can be stopped by turning off Success
logon auditing, although it is not recommended. To do so:

1. Click Start, click Run, type "gpmc.msc" and click OK.
2. Expand Domains -> your domain -> Domain Controllers.
3. Right-click Small Business Server Auditing Policy and click Edit.
4. Expand Computer Configuration -> Windows Settings -> Security Settings
-> Local Policies -> Audit Policy.
5. In the right pane, double-click Audit logon events and clear the Success
check box. Click OK.
6. Run "gpupdate /force" on SBS.

Additional information:

Securing Your Windows Small Business Server 2003 Network
http://www.microsoft.com/downloads/details.aspx?familyid=f62b2722-267c-4642-
b287-c31115ef10a4&displaylang=en

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

Threats and Countermeasures: Security Settings in Windows Server 2003 and
Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=1B6ACF93-147A-4481-
9346-F93A4081EEA8&displaylang=en

If the issue persists, please kindly help me collect some information for
further investigation:

1. Can you ping the IP 192.168.1.49?

2. Save the security event log and system event log as evt files on the
problematic machines and send to my mailbox: v-terliu@xxxxxxxxxxxxx

3. Try to shutdown this workstation (192.168.1.49), do you still get event
540 from this workstation?

4. Try to disable the user account woodstock, do you still get event 540
from this user access?

Hope this helps.

Please feel free to let me know if you have any questions or if you need
further assistance.

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Alex" <alex@xxxxxxxxxxxxxxxxx>
| Subject: Logon Issue - could someone explain please
| Date: Sun, 1 Apr 2007 20:04:42 +0100
| Lines: 40
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
| X-RFC2646: Format=Flowed; Original
| Message-ID: <OCJUjCJdHHA.4344@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: post.modburygroup.co.uk 82.152.16.178
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:26994
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi, I was looking at the event logs on our SBS2003 server, and saw the
| event as detailed below. Can someone explain what this log event
actually
| means - its just that Woodstock is one of our workstation, which is no
| switched on and has not been switched on for a number of weeks - the user
is
| off ill.
|
| Thanks - Alex
|
|
| Event Type: Success Audit
| Event Source: Security
| Event Category: Logon/Logoff
| Event ID: 540
| Date: 01/04/2007
| Time: 16:10:13
| User: SPRINGFIELD\woodstock$
| Computer: MARGE
| Description:
| Successful Network Logon:
| User Name: woodstock$
| Domain: SPRINGFIELD
| Logon ID: (0x0,0x6665049C)
| Logon Type: 3
| Logon Process: Kerberos
| Authentication Package: Kerberos
| Workstation Name:
| Logon GUID: {1c189902-e342-6e61-1b1b-7bf5f11289b0}
| Caller User Name: -
| Caller Domain: -
| Caller Logon ID: -
| Caller Process ID: -
| Transited Services: -
| Source Network Address: 192.168.1.49
| Source Port: 0
|
|
| For more information, see Help and Support Center at
| http://go.microsoft.com/fwlink/events.asp.
|
|
|

.

Relevant Pages

  • RE: Problems with 529 Events
    ... attempting to logon on some services on the SBS server. ... and then click Account Lockout Policy. ...
    (microsoft.public.windows.server.sbs)
  • RE: Cant set Local Security policies. They fail to save
    ... predefined Security Template on SBS 2003 to restore security groups ... run "gpupdate.exe /force" under command prompt to force the policy ... reboot the Server to test. ... and then logon to client computer to test if user can save system logs. ...
    (microsoft.public.windows.server.sbs)
  • Re: FOR A SKILLED IT EXPERT - WIN2K SERVER - DOMAIN CONTROLLER
    ... Windows Server 2003 one can, but not from a safe mode boot). ... boots up on cached profile only) The interactive logon problem has applied ... manual security reset. ... If you had not tried the reset we could have pulled you out of this, ...
    (microsoft.public.win2000.security)
  • Re: Security Logon/Logoff Events
    ... the full security audit is enabled by default so that you are ... Right-click Small Business Server Auditing Policy and click Edit. ... SBS 2003 creates a GPO on the DC container named Small Business Server ...
    (microsoft.public.windows.server.sbs)
  • Re: Unknown Domain user - domain authentication appears limited
    ... (using cached login). ... Microsoft MVP (Windows Server System: Security) ... > due to the following error: Logon failure: the user has not been granted ...
    (microsoft.public.windows.server.security)