Doug, First, I would not place much faith in the logon/logoff events in W2K. I once tried to use them to determine user session times. I discovered that 528's are pretty believable but 538's may get logged many hours later or not at all. That was long ago, before UPHClean. Maybe that would have helped. By chance, are these logons via Nfuse or WI? I've seen similar behavior under those circumstances. I always assumed that this was the initial logon that verified the user credentials and displayed the appropriate published apps. Another logon event might show up at the Citrix server when it actually hosts your app. Raff -----Original Message----- From: thin-bounce@xxxxxxxxxxxxx [mailto:thin-bounce@xxxxxxxxxxxxx]On Behalf Of Stratton, Doug MSER:EX Sent: Wednesday, February 02, 2005 12:36 PM To: 'thin@xxxxxxxxxxxxx' Subject: [THIN] Security Event Logs Can anyone tell me why I would get these two security event log id everytime I log onto a ts with w2k on it? I looked up the events at event id web and it says 528 is a logon (this is good) and 538 is a log off (bad) I am not logging off just on. First Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 528 Date: 2005-02-02 Time: 8:45:15 AM User: domain\dstr Computer: servername Description: Successful Logon: User Name: dstr Domain: domain Logon ID: (0x0,0x18A37A52) Logon Type: 7 Logon Process: User32 Authentication Package: Negotiate Workstation Name: server Then Event Type: Success Audit Event Source: Security Event Category: Logon/Logoff Event ID: 538 Date: 2005-02-02 Time: 8:45:15 AM User: domain\dstr Computer: server Description: User Logoff: User Name: dstr Domain: domain Logon ID: (0x0,0x18A37A52) Logon Type: 7 Thanks Doug Stratton Telephone: (250) 356-6678 Email: Doug.M.Stratton@xxxxxxxxxxxxxxx