Question about LSA and Event ID 515

  • Thread starter Thread starter FAC_Server_Guy
  • Start date Start date
F

FAC_Server_Guy

Guest
I've got a bunch of W2K3 servers, and I've noticed the following. In the
security logs for these servers, there are instances of Event ID 515, that
have as the userid, the userid of the individual who built the server, rather
than something like, "NT AUTHORITY\SYSTEM". The following is an example:

Event Type: Success Audit
Event Source: Security
Event Category: System Event
Event ID: 515
Date: 6/3/2008
Time: 11:16:53 AM
User: MYDOMAIN\MYUSERID
Computer: SERVER01
Description:
A trusted logon process has registered with the Local Security Authority.
This logon process will be trusted to submit logon requests.

Logon Process Name: KSecDD

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.


Does anyone know why the system would be trying to do ANYTHING using their
userids rather than a system account? And, is there a way to change the
services or processes so that they use NT Authority\SYSTEM or something like
that rather than someone's userid? Is this info buried in the registry
somewhere? Part of the problem is that we know that these users have not
been on these systems, and in some cases, they're moving on and their account
are going to be disabled.

Thanks for your help
 
Back
Top