Results 1 to 2 of 2

Thread: Frequent logon success audits in event viewer

  1. #1
    Join Date
    Nov 2005
    Posts
    51

    Frequent logon success audits in event viewer

    We are running SBS 2007. Since last week I noticed that my Event Viewer is generating about 5000 record every hour and this consists mostly of system logon/logoff. I know that I can turn off the auditing of successful logon events but I just wanted to confirm whether this is not any kind of security or settings problem. Here you can see 3 of my event errors:

    5/8/2007,8:59:34 AM,Security,Success Audit,Logon/Logoff ,538,NT
    AUTHORITY\SYSTEM,ACASERVER,"User Logoff:
    User Name: ACASERVER$
    Domain: ACA
    Logon ID: (0x0,0xB5FAD6)
    Logon Type: 3

    5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,540,NT
    AUTHORITY\SYSTEM,ACASERVER,"Successful Network Logon:
    User Name: ACASERVER$
    Domain: ACA
    Logon ID: (0x0,0xB5FAD6)
    Logon Type: 3
    Logon Process: Kerberos
    Authentication Package: Kerberos
    Workstation Name:
    Logon GUID: {2ea2d473-c204-da54-11b7-da31e4d45350}
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 192.168.1.35
    Source Port: 17265

    5/8/2007,8:56:34 AM,Security,Success Audit,Logon/Logoff ,576,NT
    AUTHORITY\SYSTEM,ACASERVER,"Special privileges assigned to new logon:
    User Name: ACASERVER$
    Domain: ACA
    Logon ID: (0x0,0xB5FAD6)
    Privileges: SeSecurityPrivilege
    SeBackupPrivilege
    SeRestorePrivilege
    SeTakeOwnershipPrivilege
    SeDebugPrivilege
    SeSystemEnvironmentPrivilege
    SeLoadDriverPrivilege
    SeImpersonatePrivilege
    SeEnableDelegationPrivilege"

  2. #2
    Join Date
    Jul 2011
    Posts
    125

    RE: Frequent logon success audits in event viewer

    Actually the logon/logoff procedures are always performed by service startup/shutdown, shared file accessing, network accessing, users' logon/logoff etc. So it's normal that many logon/logoff events are logged because one logon/logoff procedure can generate several events. You can however disable them and there is no problem. You can do this by:

    • Open Server Management console
    • Extend Advanced Management->Group Policy Management->Forest: domain.local->Domains->domain.local->Domain Controllers
    • Right click Small Business Server Auditing Policy, select edit
    • Extend Computer Configuration->Windows Settings->Security Settings->Local Policies->Audit Policy
    • Double click Audit logon events, please ensure do not tick Success, click OK
    • Run gpupdate on SBS

Similar Threads

  1. MSI P67A-GD53 (B3) is crashing getting Kernel Power-Event ID 41 in Event viewer
    By Chellappan in forum Motherboard Processor & RAM
    Replies: 7
    Last Post: 10-12-2011, 11:05 AM
  2. Whea-logger event id:17 warnings in windows event viewer
    By Jona-thon in forum Operating Systems
    Replies: 5
    Last Post: 28-06-2010, 11:08 PM
  3. Event Viewer - The Event log file is corrupt
    By lmg in forum Windows Server Help
    Replies: 4
    Last Post: 09-02-2010, 07:49 AM
  4. Replies: 5
    Last Post: 20-11-2008, 03:07 PM
  5. Event ID 7026 error in event viewer
    By Carlos in forum Windows x64 Edition
    Replies: 2
    Last Post: 27-04-2007, 08:29 AM

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Page generated in 1,638,207,089.01630 seconds with 17 queries