on several Windows XP SP3 Clients we found event ID 628 together with event ID 642. The caller's username in both eventlog entries is computername$ (NTAUTHORITY\System).
We assume that some unauthoritzed users gained local admin rights on their machines and that those entries have something to do with it. What does it mean if the caller of an ID 628 is NTAuthority\System?
Kind regards,
Dago