We are using LanGuard Security Event Log Monitor to go out and hit all of our domain controllers, grab all the security events out of the logs and dump them into an Access database. When I run reports to see if anyone is logging on after hours, there are a couple of users who show up with logon events every 1.5-2.5 hours, even though I know they are not there to log on. I checked the event logs on their local workstations, and found that they have the following events:
Event ID: 1704
Source: SceCli
Type: Information
Description: Security policy in the Group policy objects are applied successfully.
A little info on our environment:
Workstations: W2K prof
Domain Controllers: NT4 (Not running Active Directory)
These event ID 1704's are coinciding exactly with the logon event IDs that are showing up on the domain controllers for whatever user is logged onto the workstation. So something happens while this group policy is applied that causes the workstation to authenticate to a domain controller and it shows up as a logon event.
I need to figure out how to get rid of this security policy being applied at all hours because it is screwing up my logon reports. Can anyone help me with this?
Event ID: 1704
Source: SceCli
Type: Information
Description: Security policy in the Group policy objects are applied successfully.
A little info on our environment:
Workstations: W2K prof
Domain Controllers: NT4 (Not running Active Directory)
These event ID 1704's are coinciding exactly with the logon event IDs that are showing up on the domain controllers for whatever user is logged onto the workstation. So something happens while this group policy is applied that causes the workstation to authenticate to a domain controller and it shows up as a logon event.
I need to figure out how to get rid of this security policy being applied at all hours because it is screwing up my logon reports. Can anyone help me with this?