locked
Windows Server 2003 DC generate more than 150000 event 680 in less than 50 minutes RRS feed

  • 問題

  • Our DC generate more than 150000 event 680 in less than 50 minutes.

     

    Any help?

     

    Thanks & regards,

    2008年9月25日 5:33

解答

  •  

    Are you sure that there is 150000 log about the same event ID 680?

     

    Event ID 680 means that the user is logon into domain/computer successfully by using NTLM, while 673 means by Kerberos

     

    More information is shown in the following link,

    http://technet.microsoft.com/en-us/library/bb742435.aspx

    2008年10月8日 19:40
  • By default, Windows 2003 DC will include log on security information for users that logon to their computer, using AD accounts to do access to computers, or map a drive using the accounts by AD accounts. Each logon event may generate around 4 events (system, user logon etc) event in the system security log. It is normal that there have a lots of event 680 if your organization have more users (say more than 1000 users). In your case, you need to review if there have a log of fail logon request, which account was using as well, because it may be a indicators for you that if there have any abuse of use of accounts by some hacking events. You may need to do further investigation, and check if there have any secuirty problem in your network.

     

    2008年10月8日 23:27
  • I think you need to check if the logon is normal or not. It really depends on number of users and what you have use for the logon services, there have couple of logon required to use this as a services and it will be logged, such as drive mapping, computer accounts logon, or even some applications that use AD for authenication, it is really not a big deal if you have more event 680 in the services.

     

     

    You may check with some message on 680, investigate which machines generate it, and see if there have anything can be further investigate.

     

    You may also want to investigate the rest of the event and meanings from here:

     

    http://support.microsoft.com/kb/301677

     

    Please remember to mark as an answer if you think it is good.

     

    2008年10月9日 15:08

所有回覆

  • Where is the event generate? Is it on the security log or application etc..

    2008年9月25日 15:53
  • Thanks for you response.

     

    It is in the Security log.

     

    Something like

    9/19/2008   5:51:33 PM   Security   Success Audit    Account Logon 680  domain\userid dc001 "Logon attempt by : MICROSOFT_AUTHENTICATION_PACKAGE_V1_0  Logon account:    userid"

    Source Workstation: webserver1

    Error Code: 0x0

    "

    2008年9月26日 1:43
  •  

    Are you sure that there is 150000 log about the same event ID 680?

     

    Event ID 680 means that the user is logon into domain/computer successfully by using NTLM, while 673 means by Kerberos

     

    More information is shown in the following link,

    http://technet.microsoft.com/en-us/library/bb742435.aspx

    2008年10月8日 19:40
  • By default, Windows 2003 DC will include log on security information for users that logon to their computer, using AD accounts to do access to computers, or map a drive using the accounts by AD accounts. Each logon event may generate around 4 events (system, user logon etc) event in the system security log. It is normal that there have a lots of event 680 if your organization have more users (say more than 1000 users). In your case, you need to review if there have a log of fail logon request, which account was using as well, because it may be a indicators for you that if there have any abuse of use of accounts by some hacking events. You may need to do further investigation, and check if there have any secuirty problem in your network.

     

    2008年10月8日 23:27
  • Thank you very much for your information! I know that event 680 is the successful logon, but why more than 150000 in less than 50 minutes (some user more than 60 events in 1 second), any expirence?

     

    Thanks & regards

     

    2008年10月9日 14:45
  • Thank you very much for your information!

     

    Before our office relocation, it looks normal (a few log for each user)

     

    This happen after the office relocation.

     

     

     

    2008年10月9日 14:48
  • I think you need to check if the logon is normal or not. It really depends on number of users and what you have use for the logon services, there have couple of logon required to use this as a services and it will be logged, such as drive mapping, computer accounts logon, or even some applications that use AD for authenication, it is really not a big deal if you have more event 680 in the services.

     

     

    You may check with some message on 680, investigate which machines generate it, and see if there have anything can be further investigate.

     

    You may also want to investigate the rest of the event and meanings from here:

     

    http://support.microsoft.com/kb/301677

     

    Please remember to mark as an answer if you think it is good.

     

    2008年10月9日 15:08