Click here to get back home

Caller Logon ID
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Caller Logon ID r. wales 04-03-2006
Posted by r. wales on April 3, 2006, 2:39 pm
Please log in for more thread options
 I have several events that are being logged with caller logon id:
(0x0,0x3E7). Target accounts are ususally <computername>$ and the caller
user name is <servername>$. Who or what does (0x0,0x3E7) specify?

[AD domain, win 2003 standard, xp clients]

One of these events was a 'computer account change' that occured at 9:21 am
Sunday morning (no one in the building). The only thing it lists is a value
for "password last set". Could this indicate intrusion?

Posted by Steven L Umbach on April 3, 2006, 11:40 pm
Please log in for more thread options
 Most likely it means that the computer account password was changed which is
done periodically and automatically - around every thirty days I believe if
a domain controller can be contacted. I would not worry about it. Intrusions
are more evidence by password failures particularly for administrator
account. You might find the link below helpful. --- Steve

http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx

>I have several events that are being logged with caller logon id:
> (0x0,0x3E7). Target accounts are ususally <computername>$ and the caller
> user name is <servername>$. Who or what does (0x0,0x3E7) specify?
>
> [AD domain, win 2003 standard, xp clients]
>
> One of these events was a 'computer account change' that occured at 9:21
> am
> Sunday morning (no one in the building). The only thing it lists is a
> value
> for "password last set". Could this indicate intrusion?



Posted by r. wales on April 4, 2006, 9:33 am
Please log in for more thread options
Thanks Steve. That is kind of what I suspected and I did scour the logs for
suspicious failures, but it is good to get some reinforcement. Would I be
correct is also assuming that caller logon id: (0x0, 0x3E7) is a system ID?

"Steven L Umbach" wrote:

> Most likely it means that the computer account password was changed which is
> done periodically and automatically - around every thirty days I believe if
> a domain controller can be contacted. I would not worry about it. Intrusions
> are more evidence by password failures particularly for administrator
> account. You might find the link below helpful. --- Steve
>
>
http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitymonitoring/default.mspx
>
> >I have several events that are being logged with caller logon id:
> > (0x0,0x3E7). Target accounts are ususally <computername>$ and the caller
> > user name is <servername>$. Who or what does (0x0,0x3E7) specify?
> >
> > [AD domain, win 2003 standard, xp clients]
> >
> > One of these events was a 'computer account change' that occured at 9:21
> > am
> > Sunday morning (no one in the building). The only thing it lists is a
> > value
> > for "password last set". Could this indicate intrusion?
>
>
>

Similar ThreadsPosted
Lookup a "Caller Logon ID" November 29, 2006, 5:14 pm
There are currently no logon servers available to service the logon request - how to fix this error? i get it when trying to access a share one hop away. April 12, 2007, 6:03 pm
Workstations showing logon failures by users can still logon? November 27, 2007, 6:56 pm
Just one logon January 5, 2006, 11:56 am
Cannot Logon using Smartcard October 28, 2005, 11:55 pm
Anyone use usb logon keys? December 14, 2005, 2:09 pm
Logon as a Batch Job July 25, 2006, 3:00 am
Logon Process September 11, 2006, 12:23 pm
Logon Type 7 September 11, 2006, 12:38 pm
Logon type October 4, 2006, 7:53 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap