|
|
|
Forum Newbie
Group: Forum Members
Last Login: 9/20/2011 2:39:11 PM
Posts: 4,
Visits: 0
|
|
Hello
When a user logs onto a workstation for the first time in the morning, I always see 1 TGT event on the DC (event ID 4768) followed by 3 service ticket events (event ID 4769): 1 for workstation$, DC$ and krbtgt. I noticed that all 3 service tickets list the same logon GUID. Is this how it is supposed to be?
I watched Randy's webinar (Understanding Authentication Events in the Windows 2003 and 2008 Security Logs) and in his example of an initial logon, the logon GUID was different for each service ticket.
Thanks for your advice on this.
stefan
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| i have never nailed down any consistent correlation for logon GUID - if you think you have please try to repeat and let me know
|
|
|
|