Event ID 538 & 540 whenuser did not logon

Jenny

Distinguished
Apr 18, 2002
92
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

I can see in the Event Log several instances of Event ID 538 & 540 for users
that I know did not logon to a particular machine.

User Name: Username
Domain: Domain
Logon ID: (0x0,0x442D8F)
Logon Type: 3

The event happens with minutes of each other. At first I thought it was a
co-worker remotely connecting to a machine I was working since it would
appear on any machine that I remotely connected to but I dont believe that is
the situation.
One thing that may be noteworthy is we use Tight VNC within Ideal and Real
VMC to remotely conect to user's workstations.
Any help/suggestions/enlightenment would be greatly appreciated.

Thank you
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

How do you know that they did not access the computer? If the computer with
these events in the security log has shares, maybe they were accessing files
via My Network Places. A connection via a remote management program would
certainly generate logon events also. --- Steve


"Jenny" <cevin07@yahoo.com> wrote in message
news:ED8CC000-BBAD-4A70-B9F0-26F0E0B0EACA@microsoft.com...
>I can see in the Event Log several instances of Event ID 538 & 540 for
>users
> that I know did not logon to a particular machine.
>
> User Name: Username
> Domain: Domain
> Logon ID: (0x0,0x442D8F)
> Logon Type: 3
>
> The event happens with minutes of each other. At first I thought it was a
> co-worker remotely connecting to a machine I was working since it would
> appear on any machine that I remotely connected to but I dont believe that
> is
> the situation.
> One thing that may be noteworthy is we use Tight VNC within Ideal and Real
> VMC to remotely conect to user's workstations.
> Any help/suggestions/enlightenment would be greatly appreciated.
>
> Thank you
 

Jenny

Distinguished
Apr 18, 2002
92
0
18,630
Archived from groups: microsoft.public.win2000.security (More info?)

There are no shares on the workstations that they would be connecting
to.(these are users workstations that do not house shares) I asked my
co-worker if they were connected and they said no. I have no shares on my
workstation either.

Thx - Jenny

"Steven L Umbach" wrote:

> How do you know that they did not access the computer? If the computer with
> these events in the security log has shares, maybe they were accessing files
> via My Network Places. A connection via a remote management program would
> certainly generate logon events also. --- Steve
>
>
> "Jenny" <cevin07@yahoo.com> wrote in message
> news:ED8CC000-BBAD-4A70-B9F0-26F0E0B0EACA@microsoft.com...
> >I can see in the Event Log several instances of Event ID 538 & 540 for
> >users
> > that I know did not logon to a particular machine.
> >
> > User Name: Username
> > Domain: Domain
> > Logon ID: (0x0,0x442D8F)
> > Logon Type: 3
> >
> > The event happens with minutes of each other. At first I thought it was a
> > co-worker remotely connecting to a machine I was working since it would
> > appear on any machine that I remotely connected to but I dont believe that
> > is
> > the situation.
> > One thing that may be noteworthy is we use Tight VNC within Ideal and Real
> > VMC to remotely conect to user's workstations.
> > Any help/suggestions/enlightenment would be greatly appreciated.
> >
> > Thank you
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

"Jenny" <cevin07@yahoo.com> wrote in message
news:A7051942-AC57-4BB0-A949-0EB953A4F12E@microsoft.com...
> There are no shares on the workstations that they would be connecting
> to.(these are users workstations that do not house shares) I asked my
> co-worker if they were connected and they said no. I have no shares on my
> workstation either.
>
> Thx - Jenny
>
> "Steven L Umbach" wrote:
>
>> How do you know that they did not access the computer? If the computer
>> with
>> these events in the security log has shares, maybe they were accessing
>> files
>> via My Network Places. A connection via a remote management program would
>> certainly generate logon events also. --- Steve
>>
>>
>> "Jenny" <cevin07@yahoo.com> wrote in message
>> news:ED8CC000-BBAD-4A70-B9F0-26F0E0B0EACA@microsoft.com...
>> >I can see in the Event Log several instances of Event ID 538 & 540 for
>> >users
>> > that I know did not logon to a particular machine.
>> >
>> > User Name: Username
>> > Domain: Domain
>> > Logon ID: (0x0,0x442D8F)
>> > Logon Type: 3
>> >
>> > The event happens with minutes of each other. At first I thought it was
>> > a
>> > co-worker remotely connecting to a machine I was working since it would
>> > appear on any machine that I remotely connected to but I dont believe
>> > that
>> > is
>> > the situation.
>> > One thing that may be noteworthy is we use Tight VNC within Ideal and
>> > Real
>> > VMC to remotely conect to user's workstations.
>> > Any help/suggestions/enlightenment would be greatly appreciated.
>> >
>> > Thank you
>>
>>
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.security (More info?)

Maybe not that you know of. Try running the command " net share " on your
computer. If anything is shown someone could be trying to connect to one of
those shares. Shares with $ after them are hidden but commonly known to many
users. Another possibility is that someone else has obtained another user's
password and is trying to connect to your computer impersonating that user
though the logon events should show the workstation that the logon came
from. If you do not need to be offering shares to other users or a need to
have your computers managed remotely via Computer Management or such you can
disable file and print sharing. --- Steve


"Jenny" <cevin07@yahoo.com> wrote in message
news:A7051942-AC57-4BB0-A949-0EB953A4F12E@microsoft.com...
> There are no shares on the workstations that they would be connecting
> to.(these are users workstations that do not house shares) I asked my
> co-worker if they were connected and they said no. I have no shares on my
> workstation either.
>
> Thx - Jenny
>
> "Steven L Umbach" wrote:
>
>> How do you know that they did not access the computer? If the computer
>> with
>> these events in the security log has shares, maybe they were accessing
>> files
>> via My Network Places. A connection via a remote management program would
>> certainly generate logon events also. --- Steve
>>
>>
>> "Jenny" <cevin07@yahoo.com> wrote in message
>> news:ED8CC000-BBAD-4A70-B9F0-26F0E0B0EACA@microsoft.com...
>> >I can see in the Event Log several instances of Event ID 538 & 540 for
>> >users
>> > that I know did not logon to a particular machine.
>> >
>> > User Name: Username
>> > Domain: Domain
>> > Logon ID: (0x0,0x442D8F)
>> > Logon Type: 3
>> >
>> > The event happens with minutes of each other. At first I thought it was
>> > a
>> > co-worker remotely connecting to a machine I was working since it would
>> > appear on any machine that I remotely connected to but I dont believe
>> > that
>> > is
>> > the situation.
>> > One thing that may be noteworthy is we use Tight VNC within Ideal and
>> > Real
>> > VMC to remotely conect to user's workstations.
>> > Any help/suggestions/enlightenment would be greatly appreciated.
>> >
>> > Thank you
>>
>>
>>