Windows Server 2012 AD DC, users on Windows 7 SP1 x64 are logging in (~800 or so users). A small percentage of them are generating 300-400 logon events in the Security log - *per second*. 

Most other users are not generating excessive logon events... this is filling our security log quite fast. 

P.S. I suspect this happened after Logon and Logoff event auditing has been configured in the Advanced Audit Policy Configuration (Success and Failure). Still - most users do not generate that much logon events when logging in. 

Some incompetent moderator is marking all similar questions as answered even though they are NOT. So I am reposting - yet again - and let's hope this time the mods will hold their horses until the reason and a solution is actually found. 

Hi,

Did you audit logon events?

http://technet.microsoft.com/en-us/library/cc976395.aspx

4624 An account was successfully logged on.

4634 An account was logged off.

Regards.

Yes, that is why we *have* to have these events. 

But 300 events by a single user per second! is not normal. 1 event per login is normal - not 300 and definitely not 400 per login per user. 

Hi,

Thanks for your response.

The event 4624 identifies the account that requested the logon - NOT the user who just logged on.  Subject is usually Null or one of the Service principals and not usually useful information.

http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4624

Regards.

Hi,

I just want to confirm what is the current situation.

Please feel free to let us know if you need further assistance.

Regards.

We are getting hundreds of event IDs per user per second! How did you even consider that your answer above solves the problem?

No, the situation is as before. Mods are marking all similar questions with 'answers' as solutions - and there are dozens of people like me on this forum with the same problem. 

Will someone from Microsoft please wake up and step up to the problem?

http://social.technet.microsoft.com/Forums/en-US/8d0d0bac-e93c-45bc-9063-3470faf7dfe9/event-id-4624-logon-type-3-being-overwhelmed?forum=winserversecurity

http://social.technet.microsoft.com/Forums/windowsserver/en-US/70d868a4-9a66-4fbc-8a0b-bb959ea0493c/audit-log-fills-with-event-ids-4624-logon-and-4634-logoff-and-i-cant-turn-off-audit-system?forum=winserversecurity

http://social.technet.microsoft.com/Forums/windowsserver/en-US/2f612f2a-466c-4be4-a4f8-2d3a03c476f9/question-regarding-event-4634-and-4624?forum=winserversecurity

http://social.technet.microsoft.com/Forums/fr-FR/c6fe2909-3045-4fd1-ad3e-1d16baf540ae/recurring-security-log-errors-4624-4672-4634?forum=winserversecurity

http://social.technet.microsoft.com/Forums/ru-RU/13f8317f-8999-4b0c-a2b9-e27c90bb4541/security-log-flooded-with-4624-4634-how-can-i-find-the-source-of-these-type-3-logons?forum=winserversecurity

http://social.technet.microsoft.com/Forums/exchange/en-US/418b639c-2270-414e-8149-41ba260ea6ab/windows-7-event-viewer-events-mysterious-na-logins-4624-4672-4634http://social.technet.microsoft.com/Forums/en-US/a9370291-0520-484d-a6c3-9a23cdf94023/excessive-4624-and-4634-events?forum=winserverDS

http://social.technet.microsoft.com/Forums/windowsserver/en-US/be9ed31f-fe8b-4b1c-a763-592243fe4c9e/excessive-4624-and-4634-events?forum=winserverDS

http://social.technet.microsoft.com/Forums/fr-FR/c6fe2909-3045-4fd1-ad3e-1d16baf540ae/recurring-security-log-errors-4624-4672-4634?forum=winserversecurity

does this paint a better picture? Do you see why I am aggravated by you marking your own irrelevant answer as THE SOLUTION?

Can someone please involve Microsoft support in this? 

Let me repeat. 1 (ONE) user logs on - and 300-400 4624 events appear in the security log PER SECOND for that username. 

as a result, 128 MB security log file fills in 1-2 hours. 

• Edited by Alexander Sverdlov Wednesday, February 26, 2014 11:55 AM

Hi,

Sorry for the delay reply.

Hope this helps:

http://www.ultimatewindowssecurity.com/securitylog/resourcekits/book2008/chapter2.aspx

Regards.

No, it doesn't. It does NOT say why there are 400 events PER SECOND, PER USER, when a Single user tries to log in or log off. 

Multiply that by 900 users, and you will quickly realize this is a serious problem. I have given you multiple cases of multiple people having the same problem and none of them has yet been helped or solved. 

I, too, can google to see what an event means. 

But I can't understand WHY there are 300-400 logon events in the Domain Controller per user per second. 

Update: 

It turns out it's not just when logging on - the events are being generated for the whole time the user is logged on, sort of some kind of session keep alive? But still, it makes no sense. 

Hi,

Since this issue is occurring for a lot of users judging by the open threads, I am surprised nobody opened a case with Microsoft.

Anyway the behavior is interesting. So only a part of the users are experiencing this? What do those users have in common form others? Different site? Also note that only Windows 7 clients can process Advanced Group policy auditing so if this condition is met it might point to your suspicion.

How many domain controllers? What is the domain functional level?

That's the weird part. 

XP/7 users have the same issue. Different sites, domain functional level is 2008. 10 domain controllers. We do have a case opened up with Microsoft, but it is still in the 'first level support' phase. 

• Edited by Alexander Sverdlov Thursday, March 27, 2014 9:15 AM

Did you ever get an answer on this?

We are at 30,000 events per hour of 4624/4634 events for 800 users. My security log size is 5gb and I am still only getting 24 hours of event log. I have double-checked my domain controllers policy  -  all categories of "advanced audit policy configuration" are not enabled

• Edited by Mark522010 Monday, December 15, 2014 10:23 PM spelling

> log. I have double-checked my domain controllers policy  -  all > categories of "advanced audit policy configuration" are not enabled   http://blogs.technet.com/b/askds/archive/2011/03/11/getting-the-effective-audit-policy-in-windows-7-and-2008-r2.aspx  

In our case, Outlook ended up being the culprit.  I still don't know why it's authenticating so often, but we tracked it down to the individual program.  

Hi,

Please post a new thread to describe your issue. 

Thanks for your understanding.

Regards.