Inexplicable time of Security Events

[shandyw]

Hello All
Recently two strange events were recorded in our NT4 security Logs. Events 538 Logon/Logoff and then 528 Logon/Logoff for one of our users - at just after midnight, with 15 mins between them. No other evidence supports her being in at this time i.e. there was no Exchange, Intranet or Internet access and the building alarm wasn't turned off. Has anyone any ideas to account for this?

Thanks

 

[Highland]

Did she have an active drive mapping/share to a server which was re-booted at that time...???....or an autosave to somewhere....????....or a scheduled backup job...???

Here's a link to eventid which gives some more info on the user authentication process in some Q articles, they might show you how to get more info from the eventid that you saw....???

Hope this helps.......

 

[shandyw]

Thank you for those ideas, I will look at her task scheduler next week, although if there are any tasks they are certainly inadvertent.

Where is the link?

Thanks