Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Event ID 538 ANONYMOUS LOGON

Status
Not open for further replies.
vvb2

vvb2

Technical User
Sep 10, 2001
2
US
I keep seeing these events in my security log of server in my Windows 2000 Server farm. I cannot find any pattern to their appearance, and I an trying to figure out what they are. Some days I get no such logs, and some days quite a few. I am not running any web services on these servers, however, they are in a Citrix Metaframe farm. Any ideas would be appreciated. Thanks.


Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 5/17/2002
Time: 11:10:37 PM
User: NT AUTHORITY\ANONYMOUS LOGON
Computer: XXXX
Description:
User Logoff:
User Name: ANONYMOUS LOGON
Domain: NT AUTHORITY
Logon ID: (0x0,0x1C5763)
Logon Type: 3
 
Sort by date Sort by votes
I am also curious what these messages are and why they appear. Anyone have any support?
 
Upvote 0 Downvote
I have a followup question then: Why would it be anonymous when I can view user names (or computer names) when they log on and off? I don't understand the anonymous part.

Also, I checked the log again and have some similar events:

Event Type: Success Audit
Event Source: Security
Event Category: Privilege use
Event ID: 576
User: NT AUTHORITY\ANONYMOUS LOGON
Special privileges assigned to new login:
UserName: (blank)
Domain: (blank)
Logon ID: (0x0, 0xBC9E05D)
Assigned: SeChangeNotifyPrivilege
 
Upvote 0 Downvote
Thanks for the link, it will definitely come in handy going forward.

I am primarily concerned about the Anonymous part of the event. Other events that have the same number have user names or computer names associated with the event.

Thanks!
 
Upvote 0 Downvote
restrict anonymous and see if it gives you issues....HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\LSA should be the location

Are you in mixed mode (NT4 members or BDCs)? If so, do NOT enable the restrict anonymous
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
135
ADB100
ADB100
andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
108
RRankin355
RRankin355
blpcrs
  • Locked
  • Question
Disk Space warning in real time in Event Viewer?
Replies
0
Views
160
blpcrs
blpcrs
DrB0b
  • Locked
  • Question
RDWeb server getting hit with odd logon requests....
Replies
1
Views
141
DrB0b
DrB0b
Fireksf
  • Locked
  • Question
Avaya IPOCC not generate Report, Please any body if you a have any idea help me.
Replies
1
Views
108
MarkSweetland
MarkSweetland

Part and Inventory Search

Sponsor

Back
Top