Hi good people, Am getting this event on a server which is a domain member. how come the machines account shows to have logged in or what does this mean? Kindly advise Many Thanks Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 17/Apr/2012 Time: 10:09:53 User: MYDOMAIN\FKLNYAHURURU017$ Computer: HQSVR7 Description: Successful Network Logon: User Name: FKLNYAHURURU017$ Domain: MYDOMAIN Logon ID: (0x0,0xB84FB11) Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: Logon GUID: {febaa6d0-38bb-e556-b5fa-6d797e32db2c} Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: IP .IP .IP .IP (This where the Machine IP is displayed) Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Meshax

Hi, It means Domain = MYDOMAIN Domain controller = DC1 File server = FS1 End-user computer = XP1 User = MYDOMAIN\FKLNYAHURURU017$ Shared folder on FS1 = Share Document in the shared folder = document.txt User Action 1: User logs on to his or her computer Events recorded on the domain controller Success Audit for Event ID 540, user Logon/Logoff for user MYDOMAIN\FKLNYAHURURU017$ at computer DC1 User Action 2: User connects to the shared folder called Share Events recorded on the end-user computer Not applicable Events recorded on the domain controller Events recorded on the file server Success Audit for Event ID 540, user Logon/Logoff for user MYDOMAIN\FKLNYAHURURU017$ at computer FS1 For details: http://technet.microsoft.com/en-us/library/cc766468(v=WS.10).aspx Explanation A logon session was created for the user. The message contains the Logon ID, a number that is generated when a user logs on to a computer. The Logon ID that is assigned to a logon session is unique to that logon session until the computer is restarted, at which point the Logon ID may be reused. The Logon ID can be used to correlate a logon message with other messages, such as object access messages. This message includes the user name and the domain information of the user account that was logged on, the name of the logon process that logged the user on, the type of authentication credentials that were presented, and a logon GUID (globally unique identifier). For logons that use Kerberos, the logon GUID can be used to associate a logon event on this computer with an account logon event on an authenticating computer, such as a domain controller. This message also includes a logon type code. The logon type code indicates the manner in which the user logged on. The following table explains the logon type value: For details: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033 Hope this helps! Best Regards Elytis ChengElytis Cheng TechNet Community Support