Do you have any shared folders on the HOOD server? Because from the logs you
provided, it looks like the user connects to a share (redirected my
documents, mapped network drive etc) located on that server when logging
interactively into workstation.
--
Dmitry Korolyov
d__k DeleteThis @nospamformorons.mail.ru
To e-mail me, remove "nospamformorons"
from the address.
"Sean (Kashi) McGilloway" <noreplies DeleteThis @wscd.com> wrote in message
news:bjsubb$mujmv$1@ID-202586.news.uni-berlin.de...
> This is, presumably, explainable by a security guru with ease...
>
> We have a terminal server that also handles a few print job requests for
> users. A user who *never* uses the machine is shown as logging into it
with
> the following "Success Audit" events:
>
> 1. LOGON/LOGOFF > 540 > CHAMBERS > HOOD
> 2. LOGON/LOGOFF > 538 > CHAMBERS > HOOD
> 3. LOGON/LOGOFF > 540 > CHAMBERS > HOOD
> 4. LOGON/LOGOFF > 538 > CHAMBERS > HOOD
> 5. LOGON/LOGOFF > 540 > CHAMBERS > HOOD
>
> We know that she *didn't* actually log onto HOOD for terminal server use.
> But in her workstation security log at about the same time (7:40:38 AM) it
> shows:
>
> 1. LOGON/LOGOFF > 528 > NETWORK SERVICE > CPU-E00021
> 2. LOGON/LOGOFF > 538 > HOOD$ > CPU-E00021
>
> What could this be? I don't see any print items in her workstation system
> event log. And nothing in her workstation application event log either. Is
> there any way of knowing what service she was trying to use on the HOOD
> server?
>
> K
>
>
FAQ
Profile
Private Messages
Log in
