Guest FAC_Server_Guy Posted June 3, 2008 Posted June 3, 2008 I've got a bunch of W2K3 servers, and I've noticed the following. In the security logs for these servers, there are instances of Event ID 515, that have as the userid, the userid of the individual who built the server, rather than something like, "NT AUTHORITY\SYSTEM". The following is an example: Event Type: Success Audit Event Source: Security Event Category: System Event Event ID: 515 Date: 6/3/2008 Time: 11:16:53 AM User: MYDOMAIN\MYUSERID Computer: SERVER01 Description: A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests. Logon Process Name: KSecDD For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Does anyone know why the system would be trying to do ANYTHING using their userids rather than a system account? And, is there a way to change the services or processes so that they use NT Authority\SYSTEM or something like that rather than someone's userid? Is this info buried in the registry somewhere? Part of the problem is that we know that these users have not been on these systems, and in some cases, they're moving on and their account are going to be disabled. Thanks for your help
Recommended Posts