Event Details
Operating System->Microsoft Windows->Built-in logs->Windows 2000-2003->Security Log->Logon/Logoff->EventID 536 - The NetLogon component is not active
EventID 536 - The NetLogon component is not active

This event record indicates that a logon attempt was made and rejected because the Net Logon service was not running. The Net Logon service supports pass-through authentication of account log ons and is used when the workstation participates in a domain. This is a significant error that should be immediately investigated.

Check to ensure that the NetLogon service is operational. Otherwise, this event may prompt investigation.


Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows 2000
Windows XP
Windows 2003
Source Security
Category Logon/Logoff
EventId 536
Field Matching
FieldDescriptionStored inSample Value
DateTime Date/Time of event origination in GMT format. DateTime 10.10.2000 19:00:00
Source Name of an Application or System Service originating the event. Source Security
Type Warning, Information, Error, Success, Failure, etc. Type Success
User Domain\Account name of user/service/computer initiating event. User RESEARCH\Alebovsky
Computer Name of server workstation where event was logged. Computer DC1
EventID Numerical ID of event. Unique within one Event Source. EventId 576
Description The entire unparsed event message. Description Special privileges assigned to new logon.
Log Name The name of the event log (e.g. Application, Security, System, etc.) LogName Security
Category A name for a subclass of events within the same Event Source. Category Logon/Logoff
Domain Domain of the account for which logon is requested. InsertionString2 RESEARCH
User Name Account name of the user logging in InsertionString1
Logon Type Interactive, Network, Batch, etc. Please find the code descriptions here. InsertionString3
Logon Process The program executable that processed the logon. Please find full logon processes list here. InsertionString4
Authentication Package The name of the authentication package (method) used to check user credentials (e.g. NTLM or Kerberos). Please find full authentication packages list here. InsertionString5
Workstation Name The NetBIOS name of the remote computer that originated the logon request InsertionString6
Caller User Name Account name of the user requesting the logon (not the user that attempted logon). Normally it is empty or displays the service principal name. InsertionString7
Caller Domain Domain name of the account mentioned in the "Caller User Name" field InsertionString8
Caller Logon ID ID of the logon session of the account mentioned in the "Caller User Name" field. Useful for tracking other activity of this account within the same logon session. InsertionString9
Caller Process ID ID of the process initiating the logon request InsertionString10
Transited Services Indicates which intermediate services have participated in this logon request InsertionString11
Source Network Address The IP address of the remote computer that originated the logon request InsertionString12
Source Port The source TCP port of the remote computer that originated the logon request InsertionString13
You must be logged in to comment