Re: Overnight Logons

538's are logouts. Never looked at this, but could SBS be disconnecting some attachments in preparation for backup or maintenance. The 1100 pm time looks like it might be.

-Larry

"Dave Nickason [SBS MVP]" <gwdibble@xxxxxxxxxxxxxxxxxxxxxx> wrote in message news:%23l4rrS2PJHA.3936@xxxxxxxxxxxxxxxxxxxxxxx
The ones with the $ are all computer names, right? Those should be system events rather than user events.

Is Dwayne leaving his desktop PC running overnight? Logon Type 3 is a logon from a different machine in the local network. See http://www.windowsecurity.com/articles/Logon-Types.html.



"Rod" <Rod@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:055DBA68-4AAA-4DFA-BDF3-93CB7B2C032E@xxxxxxxxxxxxxxxx
here are 2 of the dwaynes and one susan$
what are the ones with $ after them?


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/4/2008
Time: 11:01:12 PM
User: WELL\Dwayne
Computer: WATER
Description:
User Logoff:
User Name: Dwayne
Domain: WELL
Logon ID: (0x0,0xCAD7263)
Logon Type: 3


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 11/4/2008
Time: 11:01:01 PM
User: WELL\Dwayne
Computer: WATER
Description:
User Logoff:
User Name: Dwayne
Domain: WELL
Logon ID: (0x0,0xCAD7222)
Logon Type: 3


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 540
Date: 11/4/2008
Time: 11:01:20 PM
User: WELL\SUSAN589$
Computer: WATER
Description:
Successful Network Logon:
User Name: SUSAN589$
Domain: WELL
Logon ID: (0x0,0xCAE0917)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:
Logon GUID: {ec4e8a6f-085c-1d79-eb9d-d86827b8b6f6}
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.16.109
Source Port: 2774


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.



"Larry Struckmeyer [SBS-MVP]" wrote:

Without any other information, user dwayne with simple password could mean
your server has been compromised. All users should have pass phrases, not
pass words. Pass phrases are easier to remember, hard, if not impossible to
hack.

"My Te@M" 21 "Y0ur Team 12"! is a good example. Substitute your favorite
teams.

The info requested earlier would help diagnose your situation.

-Larry


"Rod" <Rod@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7CCF321D-4A9B-482F-95DA-9230EF51B44E@xxxxxxxxxxxxxxxx
> Its a user that is not in the office but he does exist. He does not > use
> RWW
> (i'll disable that for him). and his name is dwayne. He probably has a
> simple
> password. I'll fix that also.
>
> "Larry Struckmeyer [SBS-MVP]" wrote:
>
>> Hi Rod:
>>
>> From the event, can you post the details... login type and the rest.
>> When
>> you say there is a "user who is not here" do you mean he is out of >> the
>> office, or that he doesn't exist? If this user exists, and his >> computer
>> is
>> shut down, could it be RWW? If neither of those, is this a common >> name
>> and
>> a simple password?
>>
>> When you say inaccessible, what are the exact symptoms? Inaccessible
>> from
>> the LAN and or RWW? What are the exact symptoms, messages that occur
>> when
>> this happens.
>>
>> -Larry
>>
>> "Rod" <Rod@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:75589417-F14D-4157-B5E4-948F22048BD9@xxxxxxxxxxxxxxxx
>> > Recently our server has been suddenly inaccessable, when i reboot >> > the
>> > server
>> > it's fine. While trying to identify the issue in the even viewer I
>> > notice
>> > success audits from usernames with $ after them. Are they normal in >> > the
>> > middle of the night?
>> >
>> > also I notice a particular user logging on that I know is not here >> > (no
>> > $
>> > sign after that account)
>>
>>




.

Relevant Pages

  • Many Logon/Logoff Entries
    ... Event Type: Success Audit ... Event Source: Security ... Logon ID: ...
    (microsoft.public.windows.server.sbs)
  • Re: 30k plus Event 537s a Day
    ... > Event Source: Security ... > Logon Failure: ... > Logon Type: 3 ... > Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: The user has not been granted the requested - Error Code 534 &
    ... System error 1385 has occurred - Logon failure: the user has not been granted ... the requested logon type at this computer System error 1396 has occurred .... ... Event Type: Success Audit ...
    (microsoft.public.windowsxp.network_web)
  • Re: Overnight Logons
    ... Is Dwayne leaving his desktop PC running overnight? ... Logon Type 3 is a logon from a different machine in the local network. ... Event Source: Security ...
    (microsoft.public.windows.server.sbs)
  • Unknown Domain user - domain authentication appears limited
    ... IIS or Domain problem, it appears that it is actually a security ... When I tried this on the new server configuration I received the following ... due to the following error: Logon failure: the user has not been granted the ... requested logon type at this computer. ...
    (microsoft.public.windows.server.security)