Re: Finding Account Lockout Source

From: Steve Pope (spope_at_hbk.com)
Date: 07/30/03 

Date: Wed, 30 Jul 2003 14:39:40 -0500

I would check the scheduled tasks and services on Workstation ABC

"Erik Presnell" <presnell@milltec.com> wrote in message
news:OFemqEtVDHA.1896@TK2MSFTNGP12.phx.gbl...
> I have read several of these similar posts and I'm experiencing the same
> problem. I have been able to use the event viewer tool that is in the
> altools.exe to trace to what servers people are trying to authenticate
from,
> but my next question is what do with that information. I'm the domain
admin
> here and on "server 123" in the event viewer it will have something like:
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 7/30/2003
> Time: 1:58:34 PM
> User: NT AUTHORITY\SYSTEM
> Computer: "Server 123"
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: "my initials"
> Domain: concord
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: "ABC"
>
> Now this is what I don't understand; my workstation is "XYZ"; so I go to
> "ABC" to see if there was anything going on at 1:58:34. There is nothing
> there, there are also no unusual programs. Please help me, I'm just not
> seeing the next logical step. Thank you for any help.
>
> Erik
>
>
> "Miha Pihler" <miha.pihler@Atlantis-N0Spam.si> wrote in message
> news:OaJLc7sVDHA.484@TK2MSFTNGP09.phx.gbl...
> > Hi,
> >
> > You can use this tools:
> >
>
http://microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
> >
> > --
> > Mike
> > MCSA 2K, MCSE 2K, MCT, ...
> >
> > "PattyMac" <pmacarthur@jenner.com> wrote in message
> > news:052901c356cc$14f20bb0$a101280a@phx.gbl...
> > > Recently changed a password on an account. Now that
> > > account keeps locking out every 10 minutes or so. How can
> > > I find out the source of the problem? My guess is there's
> > > a machine or service somewhere using that ID, but I don't
> > > know where. Can I find the IP or Machine name that's
> > > using that ID?
> > >
> > > Thanks for any feedback.
> >
> >
>
>

Relevant Pages

  • Re: Internet Explorer and Outlook Express problems after standby mode
    ... > Event Type: Failure Audit ... > Event Source: Security ... > Event Category: Account Logon ...
    (microsoft.public.windowsxp.perform_maintain)
  • Rogue Workstation?
    ... I noticed the following entries in the Security log of one of my Windows ... Event Type: Failure Audit ... The logon to account: Administrator ...
    (microsoft.public.windows.server.active_directory)
  • Re: change administrator password
    ... > Event Type: Failure Audit ... > Computer: NameOfDC ... > Logon Failure: ...
    (microsoft.public.win2000.security)
  • Re: Help - RPC over http credential issue
    ... I am showing the following errors in my DC event security log: ... Event Type: Failure Audit ... Logon Failure: ...
    (microsoft.public.exchange.setup)
  • Re: Security failures
    ... I send a copy of the text to the security people who contact the person at the noted workstation and tell them not to run scripts or programs which check every machine on every domain in the world. ... Event Type: Failure Audit ... An unexpected error occurred during logon ...
    (microsoft.public.win2000.general)