none
2003 SP2 DC filling up with event id 538 540 and 576

All replies

  • What's inside those events? Sorry, I dont remember all the Event IDs.
    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
    Monday, February 21, 2011 4:42 PM
  • Hi,

     

    Please run rsop.msc or gpresult /v on the DC to verify what audit policies have actually been applied.

     

    Here are some threads which might be helpful for you:

     

    http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/0781113e-555f-472c-a6cf-e1847ce82ed5/

    http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/8067455e-0814-4506-82f0-6023189412ea

     

     

    If you need further assistance, please provide more information about the event log you received.

     

    Hope this helps.

     

    Regards,

    Bruce


    This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
    Tuesday, February 22, 2011 9:11 AM
  • W2k3 Standand Edition, wo DC's, single domain. The main DC holding all FSMO roles has a continuous stream of event log entries. The other DC has some of the events in the Security logs but only at certain period of the day and time.

    Audit policies (all of which are required) are:

    • Audit Account Logon Events                         Success, Failure
    • Audit Account Management                          Success, Failure
    • Audit Directory Service access                      Failure
    • Audit logon events                                         Success, Failure
    • Audit object access                                       Failure
    • Audit policy Change                                      Success, Failure
    • Audit privilege Use                                        Failure
    • Audit process tracking                                   No auditing
    • Audit system events                                       Success, Failure 

    Event log entries look like that referenced in http://www.petri.co.il/forums/showthread.php?t=33493

    • I have a w2k3 Standard edition single-domain network with 2 DCs.

      Event Type: Success Audit
      Event Source: Security
      Event Category: Logon/Logoff
      Event ID: 576
      Date: (every day)
      Time: (1 a second)
      User: NT AUTHORITY\SYSTEM
      Computer: (MY DC SERVER NAME WITH ALL FSMO ROLES,DNS,DHCP, GC)
      Description:
      Special privileges assigned to new logon:
      User Name: MY DC SERVERNAME$
      Domain: domain
      Logon ID: (0x0,0x52037FD2)
      Privileges: SeTcbPrivilege
      ...
      ...
      Center at http://go.microsoft.com/fwlink/events.asp.

      Event Type: Success Audit
      Event Source: Security
      Event Category: Logon/Logoff
      Event ID: 540
      Date: EVERY DAY
      Time: 1 a second
      User: NT AUTHORITY\SYSTEM
      Computer: DC SERVER NAME
      Description:
      Successful Network Logon:
      User Name: MY DC SERVER NAME$
      Domain: DOMAIN
      Logon ID: (0x0,0x52031E3E)
      Logon Type: 3
      Logon Process: Kerberos
      Authentication Package: Kerberos
      Workstation Name:
      Logon GUID: {8b64e4ef-3a8f-ed26-d90d-3b7ddf076275}
      Caller User Name: -
      Caller Domain: -
      Caller Logon ID: -
      Caller Process ID: -
      Transited Services: -
      Source Network Address: IP of Server
      Source Port: 1816

      For more information, see Help and Support Center at
      http://go.microsoft.com/fwlink/events.asp.

      Event Type: Success Audit
      Event Source: Security
      Event Category: Logon/Logoff
      Event ID: 538
      Date: everyday
      Time: 1 a second
      User: NT AUTHORITY\SYSTEM
      Computer: dc server name
      Description:
      User Logoff:
      User Name: MY DC sERVERNAME$
      Domain: domain
      Logon ID: (0x0,0x52031E3E)
      Logon Type: 3
    Tuesday, February 22, 2011 10:12 AM
  • Any exchange / sql / etc installed?
    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA
    Tuesday, February 22, 2011 4:44 PM
  • Any exchange / sql / etc installed?
    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA


    Backup Exec is installed which uses the SQL Server Express.

    No Exchange

    Tuesday, February 22, 2011 5:21 PM
  • Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers or IIS. It seems you enabled too many audit options. Enable the failure option only for a test.

    Monday, February 28, 2011 10:42 AM
  • I am required to audit the events.

    And this issue is only occuring on one server.

    Monday, February 28, 2011 11:06 AM
  • Hi Guys,

     

    I had the same problem and I cleared all the open sessions in Shares till they not reappeared, which were cuasing the problem.

    The problem got resolved.

     

    Shashi


    Shashi
    • Proposed as answer by Shashi.Surve Friday, June 17, 2011 10:40 AM
    • Edited by Shashi.Surve Friday, October 28, 2011 8:24 AM
    Friday, May 20, 2011 2:44 PM
  • Any exchange / sql / etc installed?
    MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

    Hello

    I've the same problem. I've Exchange on this machine. There is a link ?

    Slts
    DT


    DT

    Thursday, November 21, 2013 4:13 PM