Account Logon Success Audit Makes No Sense
This an event from the security Event Viewer:Event Type:Success AuditEvent Source:SecurityEvent Category:Account Logon Event ID:680Date:5/28/2009Time:4:58:19 AMUser:mydomain\user1Computer:Domain ControllerDescription:Logon attempt by:MICROSOFT_AUTHENTICATION_PACKAGE_V1_0Logon account:user1Source Workstation:workstation1Error Code:0x0The thing that puzzles me is "Source Workstation:workstation1". user1 should not have access to workstation1. At that time, I was logged on to workstation1and the desktop was locked. I dont thinkuser1 was actually anywhere near workstation1, either locally or by remote. Exactly what does "Source Workstation" mean?Thanks!
August 17th, 2009 7:23am

Do you have welcome screen enabled on workstation1 ? Check this out: http://support.microsoft.com/kb/305822Is there any scheduled task on workstation1 with user1 credentials?Leonardo Fagundes
Free Windows Admin Tool Kit Click here and download it now
August 17th, 2009 11:42pm

On top of what Leonardo suggested, you may also want to look for services which are configured to run under the user1 context.Regards,Salvador Manaois IIIMCITP | Enterprise & Server AdministratorMCSE MCSA MCTS(x5) CIWA C|EH My Blog: Bytes and BadzMy Shots:View MyPhotoStream
August 18th, 2009 12:08pm

On top of what Leonardo suggested, you may also want to look for services which are configured to run under the user1 context.Regards,Salvador Manaois III Do you have welcome screen enabled on workstation1 ? Check this out: http://support.microsoft.com/kb/305822Is there any scheduled task on workstation1 with user1 credentials? Leonardo Fagundes See above, workstation is in a domain. "To enable Fast User Switching, you must also enable the Use the Welcome screen option. This feature cannot be used if your computer is a member of a domain"There are no services configured to run under the user1 context.The event ID here is 680. Upon closer inspection, there are over 13,000 of these in a 6 or 7 day period. In >99% of them, the Source Workstation is workstation1 and for many different users. In some cases, userX will have 4 or 6 consecutive entries just seconds apart. In the other <1%, Source Workstation is a Terminal Server.Thanks!
Free Windows Admin Tool Kit Click here and download it now
August 18th, 2009 8:50pm

Itsounds like a process running athighprivilege,impersonating user accounts... a typical malware behavior.Use Network Monitor 3.3 to capture the outgoing traffic on computer1. Netmon 3.3 can reveal what process is generating what traffic.Leonardo Fagundes
August 19th, 2009 10:34pm

Should netmon be running on the DC? I prefer not to run any unnecessary apps on the DC. From http://support.microsoft.com/kb/812953"If the monitor and target computers are on a switched network (for example, they are connected to an Ethernet switch), all the network traffic to and from the target computer may not be available to the monitor computer" This is a switched network.
Free Windows Admin Tool Kit Click here and download it now
August 20th, 2009 7:54pm

This article KB812953 refers to an old old version of Network Monitor...Network Monitor 3.3 simply rocks!http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=enEnjoy!Leonardo Fagundes
August 23rd, 2009 7:16am

This article KB812953 refers to an old old version of Network Monitor... Network Monitor 3.3 simply rocks! http://www.microsoft.com/downloads/details.aspx?FamilyID=983b941d-06cb-4658-b7f6-3088333d062f&displaylang=en Enjoy! Leonardo Fagundes Quite impressive. I never would have guessed ms would have that kind of software. Congrats.Creativity cannot be taught, but it can be learned.
Free Windows Admin Tool Kit Click here and download it now
August 23rd, 2009 11:52pm

When I try and install the software I get errors relating to either the processor or the architecture. This is a recurring problem; even when I use the program compatibility wizard in win 2003 x64 it does not compute. I've dealt with this before and -quite frankly- I'm not inclined to go trough a (probable) fruitless effort again. I've tried all three of the installations available. A pc does what you tell it to, so what am I doing wrong here ?Creativity cannot be taught, but it can be learned.
August 24th, 2009 12:00am

Itsounds like a process running athighprivilege,impersonating user accounts... a typical malware behavior.Use Network Monitor 3.3 to capture the outgoing traffic on computer1. Netmon 3.3 can reveal what process is generating what traffic. I did a malware scan on the PC and it came up empty. Should netmon be running on the DC? I prefer not to run any unnecessary apps on the DC. From http://support.microsoft.com/kb/812953"If the monitor and target computers are on a switched network (for example, they are connected to an Ethernet switch), all the network traffic to and from the target computer may not be available to the monitor computer" This is a switched network. As I said above, this is a switched network. I cant imagine that Microsoftwould release network monitoring softwarethat can only besuccessfully run on a network connected by dumb hubs. But, kb812953 says it may not be successful on a switched network. Huh??
Free Windows Admin Tool Kit Click here and download it now
August 24th, 2009 6:51pm

Dear whatsys,On Switched LANs, packets are "switched" between the 2 hosts communicating. If you want to interceptthe traffic flowing between 2 nodes on a switched LAN, youmust install the packet sniffer in one of them.This is all that article 812953 means...Leonardo Fagundes
August 25th, 2009 2:31am

This is killin me. I went through adding windows components, it wanted the 2003 cd, then it wanted bhsupp.dll, found that on the cd. Then it wanted dfsext.dll from the cd, it cant find it. No wonder, there are 931 dll's on that cd but no dfsext.dll, WTF? So much for installing it on the server. I d/l it to the PC in question, configuring it is a hollywood production. I have too many fires to put outto wrestle with it. Got an Idiots Guide to Configuring NetMon link? Grrrr....Thanks!
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2009 9:59am

Anyone??
August 30th, 2009 11:00am

http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/ab66bad3-e9b9-4b68-9ffd-1db0efb88ca2/It's a lotta lettuce !Creativity cannot be taught, but it can be learned.
Free Windows Admin Tool Kit Click here and download it now
September 25th, 2009 12:22am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics