540's on local workstation & DC Expand / Collapse
Author
Message
Posted 6/24/2011 9:09:07 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/24/2011 8:48:13 AM
Posts: 1, Visits: 0
Can you provide any reason why I would see 540's on the local workstation and on the DC?

On the workstations I would expect to see \wkstn_name\userid and on the DC \domain\userid. I would also expect to see identical times on both if ntp is working properly; however there doesn't seem to be a 1 to 1 correlation.

In addition, why would you see 540's on the DC instead of the 672, 673, 674 if kerberos is being used for network authentication?
Post #746
Posted 7/8/2011 11:03:27 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
I don't usually say this but "You need to read my book", the security log isn't something where you can rely on your intuition. that being said:

Can you provide any reason why I would see 540's on the local workstation and on the DC?

- on workstations, i'd have to see some of the actual events - could be from incoming systems management servers

- on DCs, you will always see lots of 540s primarily due to accessing group policy and anything ldap related

On the workstations I would expect to see \wkstn_name\userid and on the DC \domain\userid. I would also expect to see identical times on both if ntp is working properly; however there doesn't seem to be a 1 to 1 correlation.

In addition, why would you see 540's on the DC instead of the 672, 673, 674 if kerberos is being used for network authentication?

- 540s are Logon events, 67x events are Authentication events.  To different but related things in Windows security

Post #756
« Prev Topic | Next Topic »


Permissions Expand / Collapse

All times are GMT -5:00, Time now is 7:17am