sigm‚gb±Ë¬²*²hœ®‹(~×(

We have some inetersting activity in our security log during nighttime hours.
How do I tell if it is just network overhead protocols, or illegimate
attempts to access the network? Some of the event IDs are:
538,540,565,576,672,673,674, and 680. I would assume that some of these are
related to users/computers locking their workstation at night and the systems
are still responding to the server. Is this correct or do I have a serious
problem here. I've directed the question to my IS manager, and she does not
have any idea in regards to this.

steven l umbach

It is not unusual to see events logged. Some of those are kerberos related
which may be computers renewing their tickets as they expire. Computers also
authenticate in a domain without any user logged on. I would not be too
concerned unless you have a lot of failures, particularly for user
"administrator" which could indicate hack attempts. The link below will
explain in more detail what some of those events mean. --- Steve

http://www.microsoft.com/technet/security/guidance/secmod144.mspx