Lesley Kipling [MSFT]
Guest
|
 Posted:
Thu Feb 24, 2005 9:57 pm Post subject:
Re: Suspicious Logon/Logoff Logs |
|
|
Hi.
Is this a W2K domain or a W2K3 domain? Probably the reason that this
account is being audited for is that the user has special privileges
associated with his\her account. For instance backup operators would be
audited for as well.
Events 538\540 are normal successful logons - the first one interactively,
the second on successful connection via the network (eg net use). 576
should list the privileges associated with the account in question.
In W2K3 we will log an event on logon (assuming logon audting is enabled) of
anybody containing some special privileges - this doesn't necessarily denote
suspicious activity.
HTH, Les
This posting is provided "AS IS" with no warranties, and confers no rights.
"MWGP" <gpwong@hotmail.com> wrote in message
news:OzE3$$7FFHA.936@TK2MSFTNGP12.phx.gbl...
| Quote: | Hi
I have recently found that there are several suspicious foorprint in one
of
my server's security logs. I have found that the particular user account
has
caused the event 538, 540 and 576. This is fishy as no one else has this
logs written except the administrator account. I can also see that the
same
similar logs repeat through the day when user is in the company. How do we
find out more from here?
Thanks
MWGP
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in