Hi there technet. I got an issue with security on my customers SBS 2k3 r2 server. In the event logs i see several event id's 528 with logon type 10 on the administrator account.(that is not used by us or the company) I looked in to it and i can't get an explanation for it who logs in with the account. Event id 528 is a login id and the logon type 10 says it is either a rdp logon or a terminal service logon. The problem is that the source network adress should reveal the ip adress of the one who is login on to the server. thats the issue i'm facing cause the source network adress is specified as the ip adress of the server itself. My question. Can someone explain to me how this can be? Should i get worried and take meassures? He is the info of one of the logins. I will mask domain names for privacy issue's offcourse. Successful Logon: User Name: administrator Domain: XXXXX Logon ID: (0x0,0x85111F4) Logon Type: 10 Logon Process: User32 Authentication Package: Negotiate Workstation Name: SERVER Logon GUID: {b86054ef-ffe4-b5b7-fd7a-83144758c4d7} Caller User Name: SERVER$ Caller Domain: XXXXX Caller Logon ID: (0x0,0x3E7) Caller Process ID: 7492 Transited Services: - Source Network Address: 192.168.16.1 Source Port: 16643 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Kind regards, DiKkieDIK