</font><blockquote><font size="1" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">quote:</font><hr /><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">Originally posted by Poseidon:
<strong>Okay perhaps I over-reacted. The security log in the event viewer is empty and the event log of the Syslog of the SOHO indicates nothing out of the ordinary (at least from what I could tell).

The Terminal Services Mgr does not show any connections out of the normal.

The log is from the PASSWD.LOG file located in the WINNT\Debug directory on Server1.

It was discoverd by coincidence when someone logged in using the admin account and did a search for *log*

Why though does the date in the start 05/04? Is there perhaps a problem that needs to be addressed? Could that be related to the date the admin password was last changed?

BTW, Yes I am using the web browser version / interface of the SOHO.</strong></font><hr /></blockquote><font size="2" face="Trebuchet MS, Verdana, Arial, Helvetica, sans-serif">I use the same interface, I'll look into the log files tonight. What i THINK may be hapening is the OS is changeing the TSlogon to the userID that your loging into in order to give you access (basicly makes the TS logon the one your using)

If your not using port 3389 and the client, check your IIS logs to see who has been connecting the the Terminal site. If your really paranoid, use the client, I find it's faster than the web interface and it allows you to cach the bit maps.