Click here to get back home

system log user
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
system log user James Pang 03-07-2006
| `--> Re: system log user Roger Abell [MV...03-07-2006
`--> Re: system log user Roger Abell [MV...03-07-2006
Posted by James Pang on March 7, 2006, 2:45 am
Please log in for more thread options
 I check system log today and find a lot events the user name is: NT
AUTHORITY\SYSTEM or computername$ like DomainEF$
is that normal? how could I find who is doing that thing? Why there are $s?
Thanks



Posted by James Pang on March 7, 2006, 2:47 am
Please log in for more thread options
 Audit Policy Change:
New Policy:
Success Failure
+ + Logon/Logoff
+ + Object Access
- - Privilege Use
+ + Account Management
+ + Policy Change
+ + System
- - Detailed Tracking
+ + Directory Service Access
+ + Account Logon
Changed By:
User Name: QMISFILE$
Domain Name: DomainName
Logon ID: (0x0,0x3E7)
More Information:
User QMISFILE$ from domain DomainName changed the Audit Policy for the
machine QMISFILE.



Posted by Roger Abell [MVP] on March 7, 2006, 11:57 pm
Please log in for more thread options
Event log messages are most meaningful when presented with
the Source origin and the Event Id
This could result from the periodic application of GPO policy settings.

--
Roger Abell
Microsoft MVP (Windows Server : Security)

> Audit Policy Change:
> New Policy:
> Success Failure
> + + Logon/Logoff
> + + Object Access
> - - Privilege Use
> + + Account Management
> + + Policy Change
> + + System
> - - Detailed Tracking
> + + Directory Service Access
> + + Account Logon
> Changed By:
> User Name: QMISFILE$
> Domain Name: DomainName
> Logon ID: (0x0,0x3E7)
> More Information:
> User QMISFILE$ from domain DomainName changed the Audit Policy for the
> machine QMISFILE.
>



Posted by Roger Abell [MVP] on March 7, 2006, 11:56 pm
Please log in for more thread options
For a domain joined machine it is not abnormal to see a system
log into itself and/or the domain. System is the local account used
by the OS. The OS joined to a domain has an account for the trust
with the domain named domain\machine$
The terminal $ keeps the account from showing in some situations,
now mostly historical.
Note however, just because such activity is normal does not mean
that these are inherently OK as it is possible for the OS to be subverted
and these could then be traces from misdirected activity.
--
Roger Abell
Microsoft MVP (Windows Server : Security)
MCDBA, MCSE W2k3+W2k+Nt4
>I check system log today and find a lot events the user name is: NT
>AUTHORITY\SYSTEM or computername$ like DomainEF$
> is that normal? how could I find who is doing that thing? Why there are
> $s?
> Thanks
>



Similar ThreadsPosted
No Explicit Reference to SYSTEM in User Rights? July 2, 2006, 9:47 pm
OpenRowset : DSN : file-system permissions : Local System March 14, 2008, 10:23 am
Antivirus System July 30, 2005, 7:09 pm
EFS locks up system January 5, 2007, 12:23 pm
'system' is generating TCP Packets, who, what, where? May 25, 2006, 2:17 pm
Removing System SID from ACLs August 8, 2006, 2:40 pm
How did my system get infected with a Trojan? November 26, 2006, 1:01 pm
"Force shutdown from a remote system" October 13, 2006, 3:26 pm
lost password with sbs2003 r2. Cannot log into system January 14, 2007, 11:41 pm
File System / Directory Security August 17, 2007, 1:38 pm

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap