Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Event ID: 538 on security audit

Status
Not open for further replies.
jfrasier

jfrasier

Technical User
Apr 5, 2000
33
US
I get the following entry in the event viewer of a server on our WAN. It is not a DC. Why would a computer be logging on to this server? We are getting thousands of these entries in various servers throughout the system.

Event Type: Success Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 538
Date: 1/11/2005
Time: 4:31:47 PM
User: ADMIN\ADBUSXX$
Computer: xxSRVNT
Description:
User Logoff:
User Name: ADBUSXX$
Domain: ADMIN
Logon ID: (0x0,0x1361262)
Logon Type: 3

Thanks.
 
Sort by date Sort by votes
What exactly is the server? Is it a file server? Is it a web server?
 
Upvote 0 Downvote
I looked at this article but still don't understand why a computer (not a user, but a COMPUTER) would be logging onto a fileserver in another building.
 
Upvote 0 Downvote
This could be nothing more than a CAL verification. It could also be a timeout (the user logs off, but a connection to the server remains until the keep-alive time has surpassed).
 
Upvote 0 Downvote
I wouldn't think that this file server would be the one that CAL verification would be on and this log shows a computername, but not an associated user using that computer. It is computers in a totally different building.
 
Upvote 0 Downvote
Do any of the computers/users connect to the file server? If not, I would start looking at setting up some more access permissions on your file server.

A CAL will be verified any time that a computer tries to connect to another computer. One of those interesting little tidbits Microsoft puts out there.

 
Upvote 0 Downvote
Yes, some users have access to that file server and map drives to their user folders. However, the log shows that it is not PEOPLE logging on to that server, but computers and computers that are physically located miles away. I still don't know why a computer in one location would be logging on to a file server in another location, especially when the user of that computer is not logging on to the file server.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

andyferris
  • Locked
  • Question
DC Event logs auditing cannot be set by GPO
Replies
1
Views
174
RRankin355
RRankin355
DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
212
DrB0b
DrB0b
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
153
mikehook
mikehook
lacked
  • Locked
  • Question
problem with windows update on windows server 2016
Replies
1
Views
146
maybeimaleo
maybeimaleo
edgar28
  • Locked
  • Question
Question on Network cards - Windows Server 2019
Replies
1
Views
133
DrB0b
DrB0b

Part and Inventory Search

Sponsor

Back
Top