We're seeing some events in one of our Windows 2003 server's Security log that we can't quite find the source of. This is one of our web server. Something on the server must be running to authenticate itself. We checked the IIS log files and nothing shows there. Is there a way to enable some more verbose logging to get the source of these logings? We see these three events together: Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 540 Date: 12/29/2010 Time: 8:53:22 AM User: WIN2003\IUSR_WIN2003 Computer: WIN2003 Description: Successful Network Logon: User Name: IUSR_WIN2003 Domain: WIN2003 Logon ID: (0x0,0xCFD3F33) Logon Type: 8 Logon Process: Advapi Authentication Package: Negotiate Workstation Name: WIN2003 Logon GUID: - Caller User Name: NETWORK SERVICE Caller Domain: NT AUTHORITY Caller Logon ID: (0x0,0x3E4) Caller Process ID: 504 Transited Services: - Source Network Address: - Source Port: - Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 552 Date: 12/29/2010 Time: 8:53:22 AM User: NT AUTHORITY\NETWORK SERVICE Computer: WIN2003 Description: Logon attempt using explicit credentials: Logged on user: User Name: NETWORK SERVICE Domain: NT AUTHORITY Logon ID: (0x0,0x3E4) Logon GUID: - User whose credentials were used: Target User Name: IUSR_WIN2003 Target Domain: WIN2003 Target Logon GUID: - Target Server Name: localhost Target Server Info: localhost Caller Process ID: 504 Source Network Address: - Source Port: - Event Type: Success Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 12/29/2010 Time: 8:53:22 AM User: WIN2003\IUSR_WIN2003 Computer: WIN2003 Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: IUSR_WIN2003 Source Workstation: WIN2003 Error Code: 0x0 Orange County District Attorney

Hi Sandy, As far as I know, there is no verbose mode for event log on Windows Server 2003. Here are some information about these three events: http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=540&EvtSrc=Security&LCID=1033 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=552&EvtSrc=Security&LCID=1033 http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.2&EvtID=680&EvtSrc=Security&LCID=1033 Hope it helps. Regards, BruceThis posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Thanks for the info Bruce. I had seen the information you listed, I was hoping I could find a way to drill a bit further to find out what process was initiating the logins.Orange County District Attorney