none
Mismatch between hostname and NT AUTHORITY\SYSTEM Account Name. RRS feed

  • Question

  • I have an old Windows 2008 Server with a hostname of MyServerA (exact name isn't important, but the key is the "A" on the end).  MyServerA is registered in DNS and resolves correctly, when I run the hostname command on it it returns MyServerA, if I look at the event logs generated on the server the computer = MyServerA.mydomain.com.

    However, when I look at the "Account Name" value when NT AUTHORITY\SYSTEM generates security events on the system, it lists "MYSERVER$" (Note the lack of the "A" on the end.  

    Sample event log to illustrate the point:

    instance of Win32_NTLogEvent
    {
    	Computer = "MyServera.mydomain.com";
    	EventCode = 4634;
    	EventIdentifier = 4634;
    	Logfile = "Security";
    	RecordNumber = 871372;
    	SourceName = "Microsoft-Windows-Security-Auditing";
    	TimeGenerated = "20190514142426.000000-000";
    	TimeWritten = "20190514142426.000000-000";
    	Type = "Audit Success";
    	EventType = 4;
    	Category = 12545;
    	CategoryString = "Logoff";
    	Message = "An account was logged off.
    
    Subject:
    	Security ID:		NT AUTHORITY\SYSTEM
    	Account Name:		MYSERVER$
    	Account Domain:		MYDOMAIN
    	Logon ID:		0x19b3c1aeb
    
    Logon Type:			3

    How is it possible for the account name in this log to have a different value(other than the $ on the end) from the servers hostname(see computer =)?

    Tuesday, May 14, 2019 3:15 PM

All replies

  • Hello,

    Thank you for posting in this forum.

    This is expected behavior. I checked it on my multiple machines and it showed the same as yours.

    And you can also refer to the following article for more information.

    Logon/Logoff Events

    "DC Security logs contain many Logon/Logoff events that are generated by computer accounts as opposed to user accounts. As with computer-generated account logon events, you can recognize these logon and logoff events because the Account Name field in the New Logon section will list a computer name followed by a dollar sign ($). You can ignore computer-generated Logon/Logoff events."

    Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Wednesday, May 15, 2019 2:30 AM
  • The $ isn't the issue.  Even if you eliminate the $, the hostnames are still different.
    Wednesday, May 15, 2019 5:03 AM
  • Hello,

    Where are you viewing the logs?

    In the Event Viewer->Windows Logs->Security->Event ID4634, does the displayed information match?

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, May 15, 2019 7:11 AM
  • Viewing them in the Windows event log viewer, and no it doesn't match.


    Wednesday, May 15, 2019 3:11 PM
  • Hello,

    Have you changed your computer name recently?

    Make sure you are not looking at the logs from a long time ago.

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 16, 2019 6:46 AM
  • Nope.  Logs are current.(the sample above was from 2 days ago, I just scrubbed out the real hostname/domain to avoid advertising where it's from.)  This servers been around for a few years, no hostname changes.

    Even if the hostname had changed, I would expect both to match.  What I'm trying to determine is where the alternate host name could possibly be configured as I'm assuming it's been like this since the server was built.

    Thursday, May 16, 2019 7:59 PM
  • Hi,

    Which machine is your domain controller? What is its hostname?

    Is there a computer named MyServer under Computers and Domain Controllers in Active Directory Users and Computers?

    Best Regards,

    Leon


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, May 23, 2019 8:10 AM
  • Yes, when searching AD it shows up as "MyServer".  

    "MyServerA" does not exist in the domain anywhere.

    Friday, May 24, 2019 7:53 PM
  • This is really weird.

    Can you upload a screenshot of the results of this machine's ipconfig/all?


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, May 28, 2019 9:26 AM