Re: Overnight Logons
- From: Rod <Rod@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 5 Nov 2008 08:09:00 -0800
here are 2 of the dwaynes and one susan$
what are the ones with $ after them?
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/4/2008
Time: 11:01:12 PM
User: WELL\Dwayne
Computer: WATER
Description:
User Logoff:
User Name: Dwayne
Domain: WELL
Logon ID: (0x0,0xCAD7263)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/4/2008
Time: 11:01:01 PM
User: WELL\Dwayne
Computer: WATER
Description:
User Logoff:
User Name: Dwayne
Domain: WELL
Logon ID: (0x0,0xCAD7222)
Logon Type: 3
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 11/4/2008
Time: 11:01:20 PM
User: WELL\SUSAN589$
Computer: WATER
Description:
Successful Network Logon:
User Name: SUSAN589$
Domain: WELL
Logon ID: (0x0,0xCAE0917)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {ec4e8a6f-085c-1d79-eb9d-d86827b8b6f6}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.16.109
Source Port: 2774
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
"Larry Struckmeyer [SBS-MVP]" wrote:
Without any other information, user dwayne with simple password could mean.
your server has been compromised. All users should have pass phrases, not
pass words. Pass phrases are easier to remember, hard, if not impossible to
hack.
"My Te@M" 21 "Y0ur Team 12"! is a good example. Substitute your favorite
teams.
The info requested earlier would help diagnose your situation.
-Larry
"Rod" <Rod@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7CCF321D-4A9B-482F-95DA-9230EF51B44E@xxxxxxxxxxxxxxxx
Its a user that is not in the office but he does exist. He does not use
RWW
(i'll disable that for him). and his name is dwayne. He probably has a
simple
password. I'll fix that also.
"Larry Struckmeyer [SBS-MVP]" wrote:
Hi Rod:
From the event, can you post the details... login type and the rest.
When
you say there is a "user who is not here" do you mean he is out of the
office, or that he doesn't exist? If this user exists, and his computer
is
shut down, could it be RWW? If neither of those, is this a common name
and
a simple password?
When you say inaccessible, what are the exact symptoms? Inaccessible
from
the LAN and or RWW? What are the exact symptoms, messages that occur
when
this happens.
-Larry
"Rod" <Rod@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:75589417-F14D-4157-B5E4-948F22048BD9@xxxxxxxxxxxxxxxx
Recently our server has been suddenly inaccessable, when i reboot the
server
it's fine. While trying to identify the issue in the even viewer I
notice
success audits from usernames with $ after them. Are they normal in the
middle of the night?
also I notice a particular user logging on that I know is not here (no
$
sign after that account)
- Follow-Ups:
- Re: Overnight Logons
- From: Dave Nickason [SBS MVP]
- Re: Overnight Logons
- References:
- Overnight Logons
- From: Rod
- Re: Overnight Logons
- From: Larry Struckmeyer [SBS-MVP]
- Re: Overnight Logons
- From: Rod
- Re: Overnight Logons
- From: Larry Struckmeyer [SBS-MVP]
- Overnight Logons
- Prev by Date: RWW does not connect when using "Enable files..." option
- Next by Date: Remove MS Office test message
- Previous by thread: Re: Overnight Logons
- Next by thread: Re: Overnight Logons
- Index(es):
Relevant Pages
|
Loading
