| Subject: | Disproportionate network logons from a few PCs |
| Posted by: | Bartm (bartmagui…@yahoo.co.uk) |
| Date: | 28 Feb 2007 |
We have four machines on our network that are filling the Security log
on our server with repeated 538/540 events. They generate thousands
of events every hour and about 95% of the events in the event log is
from these four machines. The other ~200 machines are well-behaved
and generate the expected few 538/540 pairs.
I know that I could turn off auditing of these events, but I would
rather understand why this is happening.
I can see that the problem manifests itself when a user is logged on
and I presume that they are connecting to a resource, probably the
printers (the server is also our printserver) - but why is it only
these PCs?