|
Posted by r. wales on September 12, 2006, 9:41 am
Please log in for more thread options Thanks Steve. I watched the logs yesterday afternoon looking for the
expected entry 9.5 to 10 hours later and it didn't show up. As the user
turned their computer on and logged back in Monday morning I really wasn't
expecting it to be there. Still, it was one of those 'Hmmm...' things.
Thanks again.
"Steven L Umbach" wrote:
> That indicates a Kerberos service ticket renewal for some reason which are
> done regularly and ten hours sounds about right. Maybe his user account
> credentials are being used somewhere else in the domain other than his
> workstation or his account is still logged onto another computer. I would
> not consider it anything malicious.
>
> Steve
>
>
> >I have seen entries from over the weekend that show a successful logon for
> >a
> > user account on the 127.0.0.1 address of my domain controller. I know for
> > a
> > fact that this user was not logged on to the server, and that the users
> > workstation was shut down over the weekend. This entry occurs every nine
> > hours and fifty minutes. The event entries look like this:
> >
> > Event Type: Success Audit
> > Event Source: Security
> > Event Category: Account Logon
> > Event ID: 674
> > Date: 9/11/2006
> > Time: 5:08:15 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: <servername>
> > Description:
> > Service Ticket Renewed:
> > User Domain: <domainname>.LOCAL
> > Service Name: krbtgt
> > Service ID: <domainname>\krbtgt
> > Ticket Options: 0x2
> > Ticket Encryption Type: 0x17
> > Client Address: 127.0.0.1
> >
>
>
>
| 
XML Sitemap