Link for Microsoft Win2k server events and errors page. Enter an EventID and the page will give you info on it.

All successful logons are Event ID 528 entries in the security log, assuming auditing is turned on and you are auditing successful logons. Unsuccessful logons have various event ids which categorize the type of logon failure.

Event ID 528 entries list the:

The types of successful logon types:

Type 0 & 1 are not used and Type 6 is listed as a proxy logon but I don't know what that is. The Logon Type 3 events indicate a network logon event. A successful Net Use or File Manager connection or a successful Net View to a share generates Event ID 528. An event is generated by the initial connection from a particular user. Later Net Uses or Net Views by that a user from the same computer do not generate additional events unless the user has been disconnected. Auditing User Authentication gives additional information.

The unsuccessful logon events are:

Event ID 538 is not an unsuccessful event but rather a successful logoff. Event ID 540 is not an unsuccessful event but rather a successful network logon as in mapping a network drive. Some Windows 2000 only events are:

You may get calls about the strange 627s, is someone breaking in? What is NT AUTHORITY \ ANONYMOUS? This event is logged when a the password is expired and the user tries to change it during logon. Thus you get no User Name but NT AUTHORITY \ ANONYMOUS written in the log. This error generates calls from Security Admins when they don't understand the meaning of the error. On the surface, it sounds ominous. Event ID 642 records the PDCs change of secure channel passwords

Some common event sequences:

Event ID 560 (Object Open), 561 (Handle Allocated), 562 (Handle Closed) : NT is doing internal checks, such as checking to see if the file exists and checking to see that there is no sharing violation

Event ID 592 (A New Process Has Been Created), 560 (Object Open), 561 (Handle Allocated), 562 (Handle Closed), 593 (Process Has Exited) : An executable starts, an audited object is opened and closed, executable exits.

 

Microsoft has recently published Windows 2000 Security Event Descriptions part 1 and Windows 2000 Security Event Descriptions part 2. A nice coverage for W2K. Related Tips:

Event Log Tips:

Archiving Event Logs
Event Log explained
How to Delete Corrupt Event Viewer Log Files
Forensics: CrashOnAuditFail
Restrict access to Application and System event logs
Security Event Descriptions
Security Events Logon Type Definitions
Security Log Location
Suppress Browser Event Log Messages
Suppress Prevent logging of print jobs
System events in NT4 SP4
User Authentication with Windows NT
User Rights, Definition and List

Q: I get a lot of event log IDs 528, 538 (users logging on and off). First comes a 528 (logon) followed later by 538 (logoff). I know the user is not logging off...

Check the logon type in the events.

  • If it is 2 (Interactive logon), it is the old bug described in Microsoft's KB article Q146880.
  • If it is 3 (Network logon), so it is a network logon/logoff. Such an event occurrs, if a user connects to a share, for instance. There is also a setting on the server called "Autodisconnect if a session is idle more than x min", with a default of 15 min. So even if a user is connected to a share for hours, you can get a lot of such events because the server will disconnect after the idle time and reconnect if the share is accessed the next time. This is transparent to the user.
  • If the logon type is 4 (Batch logon) is only logged on NT 4 if you have the new scheduler installed, which comes with IE 5. This new scheduler logs logons and logoffs of it's tasks, because each task may run under a different account. The native NT 4 scheduler did run all tasks under the account itself was running, therefore no one needed to logon when a batch job started.
I was wondering if you could tell me how to set the autodisconnect to a longer time for logon type 3?

The easiest way is to use the command
NET CONFIG SERVER /AUTODISCONNECT:Minutes

But I have another user (admin) who does not have any share open on a workstation but is generating lots of pairs of events 528/538 nevertheless
Somebody reported this behaviour when perfmon.exe is run across the network. In some cases this program is reported to open and close a connection every time it collects data, which can be very often. I could not reproduce this behaviour, though.