|
|
|
Forum Newbie
Group: Forum Members
Last Login: 6/24/2011 8:48:13 AM
Posts: 1,
Visits: 0
|
|
Can you provide any reason why I would see 540's on the local workstation and on the DC?
On the workstations I would expect to see \wkstn_name\userid and on the DC \domain\userid. I would also expect to see identical times on both if ntp is working properly; however there doesn't seem to be a 1 to 1 correlation.
In addition, why would you see 540's on the DC instead of the 672, 673, 674 if kerberos is being used for network authentication?
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| I don't usually say this but "You need to read my book", the security log isn't something where you can rely on your intuition. that being said: Can you provide any reason why I would see 540's on the local workstation and on the DC? - on workstations, i'd have to see some of the actual events - could be from incoming systems management servers - on DCs, you will always see lots of 540s primarily due to accessing group policy and anything ldap related
On the workstations I would expect to see \wkstn_name\userid and on the DC \domain\userid. I would also expect to see identical times on both if ntp is working properly; however there doesn't seem to be a 1 to 1 correlation.
In addition, why would you see 540's on the DC instead of the 672, 673, 674 if kerberos is being used for network authentication? - 540s are Logon events, 67x events are Authentication events. To different but related things in Windows security
|
|
|
|