You need to (see note 1) verbatim post the event log entries. We can't guess what is happening. Not enough data. Also add the event ID so that a search of the TechNet Knowledge Base can have a chance of being successful.
I can hazard one guess on the "this user does not have access to this machine". I have seen this when a service attempts to start but the user name/password does not have specific permissions/does not match, such as the system logon being used for one of the exchange services, rather than the specifically created exchange admin account created for exchange services. It gives this type of error. Without the actual errors, we are all going to be blindly guessing. NOTE 1: You don't need to post the actual information for your system. If an error specifies something such as a specific account name, of course insert a bogus name. We don't want to give anyone enumerating your system a leg up. Let them do it the hard way. :-) D. Weiss mcse/ccna/ssp2 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 24, 2002 6:08 PM To: [EMAIL PROTECTED] Subject: How to read w2000 Security events Can anyone tell me how to interpret the successful and failure audits for security events in event log? They log different things but there is no info on what they mean, or what to do about it. for example, my server that is also our firewall/gateway has entries that 'this user does not have access to this machine' yet I am the only one that logs in there. Others say things like account change attempt etc yet I am the Admin here and never changed the username. strange