In an effort to fully integrate with a Web Filter Appliance, we need to be able to generate Event 540 in the security logs of our 2 Domain Controllers. Both are running Windows Server 2003 with SP2. In the Default Domain Controller Security Policy I have set both Audit account logon events and Audit logon events to Success, Failure. I can see the audit event on DCs security logs. The Event 540 is reporting computer name instead of username. Please advise on this behavior, why computer name is reported ?. What needs to be done in order to get the actual username ?.

Hi, If I understand correctly, the event is similar to the following: Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 5/21/2010 Time: 9:45:00 AM User: CONTOSO\XP$ Computer: DC Description: Successful Network Logon: User Name: XP$ Domain: CONTOSO Logon ID: (0x0,0x68AE10) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {e0c2cfbe-4972-02ed-75d4-974ef45e717d} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.0.90 Source Port: 1054 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp The XP$ in the event is the computer name of a XP machine in my environment. It indicates that the logon session was created by the system account of the computer. If there is anything I have misunderstood, please post the event here for research. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.

When a user logged in(not SYSTEM account) from an XP machine (with sp2) on to a DC (Windows 2003 sp2). And, if the auditing is enabled basically it should report the username that was being logged. Instead, it gives computername follwed by $ sign. Bacauase of this behavior the Web filter application is not able to work properly as it is looking for username in the security log at (event 540) of the authenticating domain controller, which is missing.Please respond. But for sure the user is logging on to the domain explicitely (Not to the local machine), still there is no reporting of username. Is there any specific Microsoft critical patch that needs to be applied on the Domain controllers and/or client machines ?. Note: Need your email address to send snap shots of what I am talking about. You could be able to quickly get to the root of the issue.

Hi, Thanks for your reply. You can upload the information to the following space: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=15a34898-4efe-46f7-8121-42ff3b4fbfeb Password: -Dd)#pNlrM In addition to the snapshots, please reproduce the issue and upload the security event log to the space. Note: Please also let me know the user account name and exact time when you performed the steps. Thanks. This posting is provided "AS IS" with no warranties, and confers no rights.

I have uploaded the snap shots and event log file for your preview.

Hi, I’ve checked the information you uploaded. From the security events, I found that there are some 540 events reporting username and some reporting computername$. In order to better understand the issue, I want to confirm when the issue will occur. Is it when you logon a client domain workstation with a domain account? Or is it when you access the resource in DC from the client domain workstation after you logged on? When we logon a client domain workstation, we will see the 540 event which the User Name is computername$ in the security event log on the DC. it is normal because DC will authenticate the computer during the user authentication. It means that we will see multiple 540 events during user logon: some for the computer and some for the user. As a result, please help confirm the following: 1. Please logon the client domain workstation with a domain account, check security event on DC. Is there any 540 event which the User Name is the domain user? 2. After you logon the workstation, please access a share folder on DC. Do you see the 540 event which the User Name is the domain user? This posting is provided "AS IS" with no warranties, and confers no rights.

I have cleared all the security logs on authenticating DC, just to keep it simple and easy to troubleshoot. I have my DC and Xp workstation, when I login to the DC with proper domain accout, I see multiple entries of Event 540 Security log of DC, which just reports computername$ against/instead of username. I have made it simple login from a single machine, I am not able to get the user account in the audit event not even one entry.

Hi, Thanks for your response. Have you tried accessed a share folder on DC after you logged on the workstation? Do you see the 540 event which the User Name is the domain user? If there is still no any audit event for the user, please help collect the information by performing the following steps: 1. Please enable the Audit account logon events and Audit logon events for all the Domain Controllers and the client workstation. 2. After the policy takes effect, please logon the client workstation with a domain user account again to reproduce the issue. 3. After you logged on the computer, please help collect MPSReport on the Domain Controllers and the client workstation: 1) Download the executable file from the following URL http://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_DirSvc.EXE 2) Run the file on all the computers. 3) After the tool finishes gathering the information, copy the cab file from the following folder: C:\WINDOWS\MPSReports\DirSvc\cab 4) Please upload the cab files to the following space: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=15a34898-4efe-46f7-8121-42ff3b4fbfeb Password: -Dd)#pNlrM In addition, the following blog has some description on the events generated when a domain user logs on from a workstation. Hope it is helpful for your work: Deciphering Account Logon Events http://blogs.msdn.com/b/ericfitz/archive/2005/08/04/447934.aspx This posting is provided "AS IS" with no warranties, and confers no rights.

Hi, How's everything going? I've not heard back from you in a few days and wanted to check the current status of the issue. If there is anything unclear, please do not hesitate to respond back. Thanks.This posting is provided "AS IS" with no warranties, and confers no rights.