machine name in 672 User field Expand / Collapse
Author
Message
Posted 5/20/2010 5:48:31 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/20/2010 8:56:27 AM
Posts: 3, Visits: 6
I saw 672 messages with machine name in User field, instead of user's logon name. What does it mean? Is it usual?

User: NT AUTHORITY\PC1122$
Computer: DC
User Name: -
Supplied Realm Name: DOMAIN
User ID: DOMAIN\PC1122$
Service Name: krbtgt
Pre-Authentication Type: 2

Thanks for your explanation.
Post #383
Posted 5/25/2010 11:42:29 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
absolutely usual.  computers have to periodically access AD to check for group policy updates.  they authenticate via Kerberos using their computer account as shown in your example
Post #385
Posted 11/3/2010 11:26:59 AM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Randy,

For the 672 EVIDs that have the machine name in them, can they be treated as noise and dicarded?

Thx,
Jeff
Post #505
Posted 11/4/2010 5:40:54 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
That is reasonable.  The only value I've come up with for 672's logged by computers is that it shows when they booted up on the network and/or that they've remained up on the network long enought to require a new authentication ticket (TGT)
Post #509
Posted 11/5/2010 5:04:15 PM
Forum Member

Forum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum MemberForum Member

Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26, Visits: 12
Thx Randy - would it also be safe to exclude events in EVID 673 that have machine names as well?

Thx again,
Jeff
Post #519
Posted 11/9/2010 9:16:59 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
That have machine names in the "User Name:" field, yes
Post #529
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 11:01pm