I am also having this problem referred to in http://social.technet.microsoft.com/Forums/en/winserversecurity/thread/77150db7-c5d3-472a-b331-e9e71adf519e. 380mb in the Security Log in a single day, the vast majority of which are 538/540 and some 576 success events. Most of the events are from the DC's computer account talking to itself. Audit Privilege Use is set to failure only. Looked at the hotfix and it says it only applies to Server 2003 SP1. I am running SP2. Any ideas?

What's inside those events? Sorry, I dont remember all the Event IDs.MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

Hi, Please run rsop.msc or gpresult /v on the DC to verify what audit policies have actually been applied. Here are some threads which might be helpful for you: http://social.technet.microsoft.com/Forums/en-US/smallbusinessserver/thread/0781113e-555f-472c-a6cf-e1847ce82ed5/ http://social.msdn.microsoft.com/Forums/en-US/sqlsecurity/thread/8067455e-0814-4506-82f0-6023189412ea If you need further assistance, please provide more information about the event log you received. Hope this helps. Regards, Bruce This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

W2k3 Standand Edition, wo DC's, single domain. The main DC holding all FSMO roles has a continuous stream of event log entries. The other DC has some of the events in the Security logs but only at certain period of the day and time. Audit policies (all of which are required) are: Audit Account Logon Events Success, Failure Audit Account Management Success, Failure Audit Directory Service access Failure Audit logon events Success, Failure Audit object access Failure Audit policy Change Success, Failure Audit privilege Use Failure Audit process tracking No auditing Audit system events Success, Failure Event log entries look like that referenced in http://www.petri.co.il/forums/showthread.php?t=33493 I have a w2k3 Standard edition single-domain network with 2 DCs. Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 576 Date: (every day) Time: (1 a second) User: NT AUTHORITY\SYSTEM Computer: (MY DC SERVER NAME WITH ALL FSMO ROLES,DNS,DHCP, GC) Description: Special privileges assigned to new logon: User Name: MY DC SERVERNAME$ Domain: domain Logon ID: (0x0,0x52037FD2) Privileges: SeTcbPrivilege ... ... Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: EVERY DAY Time: 1 a second User: NT AUTHORITY\SYSTEM Computer: DC SERVER NAME Description: Successful Network Logon: User Name: MY DC SERVER NAME$ Domain: DOMAIN Logon ID: (0x0,0x52031E3E) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {8b64e4ef-3a8f-ed26-d90d-3b7ddf076275} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: IP of Server Source Port: 1816 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: everyday Time: 1 a second User: NT AUTHORITY\SYSTEM Computer: dc server name Description: User Logoff: User Name: MY DC sERVERNAME$ Domain: domain Logon ID: (0x0,0x52031E3E) Logon Type: 3

Any exchange / sql / etc installed?MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA

Any exchange / sql / etc installed? MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA Backup Exec is installed which uses the SQL Server Express. No Exchange

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers or IIS. It seems you enabled too many audit options. Enable the failure option only for a test.

I am required to audit the events. And this issue is only occuring on one server.

Hi Guys, I had the same problem and I cleared all the open sessions till they not reappeared, which were cuasing the problem. The problem got resolved. ShashiShashi