Security Basics mailing list archives
Security event log entry
From: gary () aspectcapital com
Date: 17 Jan 2007 09:12:09 -0000
Hi All, I monitor the security event logs of machines for logon/logoff events for local accounts. 'ladm-' However I have noticed that recently machines are not reporting these events, at the frequency i expect. I have noticed that machines are now logging the event SuccessAudit 16/01/2007 16:29:53 Security Object Access 560 ASPECTPC99\ladm-mbutton Object Open: Object Server: Security Account Manager Object Type: SAM_ALIAS Object Name: DOMAINS\Builtin\Aliases\0000022B Handle ID: 1090992 Operation ID: {0,639099906} Process ID: 788 Image File Name: C:\WINDOWS\system32\lsass.exe Primary User Name: ASPECTPC99$ Primary Domain: ASPECT Primary Logon ID: (0x0,0x3E7) Client User Name: ladm-mbutton Client Domain: ASPECTPC99 Client Logon ID: (0x0,0x2617DC5B) Accesses: AddMember RemoveMember ListMembers ReadInformation Privileges: - Restricted Sid Count: 0 Does anyone know if the access of lsass.exe is related to the logon or use of the local 'ladm' account? Thanks in advance,
Current thread:
- Security event log entry gary (Jan 17)