Re: Finding Account Lockout Source

From: Erik Presnell (presnell_at_milltec.com)
Date: 07/30/03 

Date: Wed, 30 Jul 2003 14:31:07 -0500

I have read several of these similar posts and I'm experiencing the same
problem. I have been able to use the event viewer tool that is in the
altools.exe to trace to what servers people are trying to authenticate from,
but my next question is what do with that information. I'm the domain admin
here and on "server 123" in the event viewer it will have something like:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/30/2003
Time: 1:58:34 PM
User: NT AUTHORITY\SYSTEM
Computer: "Server 123"
Description:
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: "my initials"
  Domain: concord
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: "ABC"

Now this is what I don't understand; my workstation is "XYZ"; so I go to
"ABC" to see if there was anything going on at 1:58:34. There is nothing
there, there are also no unusual programs. Please help me, I'm just not
seeing the next logical step. Thank you for any help.

Erik

"Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
news:OaJLc7sVDHA.484@TK2MSFTNGP09.phx.gbl...
> Hi,
>
> You can use this tools:
>
http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
> --
> Mike
> MCSA 2K, MCSE 2K, MCT, ...
>
> "PattyMac" <pmacarthur@jenner.com> wrote in message
> news:052901c356cc$14f20bb0$a101280a@phx.gbl...
> > Recently changed a password on an account. Now that
> > account keeps locking out every 10 minutes or so. How can
> > I find out the source of the problem? My guess is there's
> > a machine or service somewhere using that ID, but I don't
> > know where. Can I find the IP or Machine name that's
> > using that ID?
> >
> > Thanks for any feedback.
>
>

Relevant Pages

  • Re: DCom got error Overlapped I/O operation is in progress.....
    ... > running on that server, and I've been getting the error message in my ... > unable to logon .\IWAM_servername in order to run the server. ... Get the Event ID from the event viewer and go to www.eventid.net to look it ... Please reply to the newsgroup. ...
    (microsoft.public.inetserver.asp.general)
  • Windows Server 2003 Security issue
    ... a week or so after install of Service pack 1 for server 2003 I get a strange ... services repair mode and to look at the event viewer. ... is some kind of safe mode I have to logon. ...
    (microsoft.public.windows.server.security)
  • Failed to find logon server to handle login request
    ... An unexpected error occurred during logon ... >This only happens on that one server. ... >We had a power failure last night and not all systems ... >There were some events in the event viewer that talked ...
    (microsoft.public.win2000.networking)
  • Re: Viewdrop folder
    ... On checking the Event Viewer I am getting the following errors: ... The Serv-U FTP Server service failed to start due the following error: ... There are currently no logon server available to service the logon request. ...
    (microsoft.public.project.pro_and_server)
  • Re: Viewdrop folder
    ... On checking the Event Viewer I am getting the following errors: ... The Serv-U FTP Server service failed to start due to the following error: ... There are currently no logon servers available to service the logon request. ... The server is Windows 2000. ...
    (microsoft.public.project.pro_and_server)