Re: Event ID 676

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 07/27/04


Date: Tue, 27 Jul 2004 01:25:01 GMT

If you enable logon events for failure on your Domain Controller Security Policy it
may give you more useable information including logon type. Logon type 2 would be
console or TS while logon 3 would be network attempt to access a share. --- Steve

http://www.microsoft.com/resources/documentation/WindowsServ/2003/datacenter/proddocs/en-us/Default.asp?url=/resources/documentation/windowsserv/2003/datacenter/proddocs/en-us/518.asp
-- almost all applies to W2K also.

"djc" <noone@nowhere.com> wrote in message
news:OW2Jen0cEHA.2812@tk2msftngp13.phx.gbl...
> thanks for the reply. I think where I am confused is the client address.. I
> am expecting it to be 'from where' the logon was attempted... like the
> user's workstation name... but that address is a domain controller? actually
> I just double-checked and some of these events are from domain controller
> addresses and some are from client workstations? I am confused. I know the
> users don't have physical access to the servers so thats out. I suppose
> terminal services logon attempts could generate this? I'm just not sure how
> to interprets these security auditing events.
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:3KcNc.161924$a24.85480@attbi_s03...
> > That would seem to be the case. Failure code 0x12 can be a variety of
> reasons but not
> > having the user right for access could certainly be one. Below is a list
> of items I
> > found on a MS doc. --- Steve
> >
> > 0x12 - KDC_ERR_CLIENT_REVOKED: Clients credentials have been revoked
> > Associated internal Windows error codes
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_ACCOUNT_EXPIRED
> >
> > . STATUS_ACCOUNT_LOCKED_OUT
> >
> > . STATUS_ACCOUNT_DISABLED
> >
> > . STATUS_INVALID_LOGON_HOURS
> >
> > . STATUS_LOGIN_TIME_RESTRICTION
> >
> > . STATUS_LOGIN_WKSTA_RESTRICTION
> >
> > . STATUS_ACCOUNT_RESTRICTION
> >
> >
> >
> >
> > "djc" <noone@nowhere.com> wrote in message
> > news:O18ZKI0cEHA.996@TK2MSFTNGP12.phx.gbl...
> > > Source: Security
> > > Category: Account Logon
> > > Authentication Ticket Request Failed:
> > > User Name: smithly
> > > Supplied Realm Name: HELLER.COM
> > > Service Name: krbtgt/HELLER.COM
> > > Ticket Options: 0x40810010
> > > Failure Code: 0x12
> > > Client Address: 10.10.100.100
> > >
> > > according to the info I found on this failure code (12), this event is
> > > because of a time of day or workstation restriction. This would seem to
> make
> > > sense because the client address listed is a server that this user would
> not
> > > have the log on locally user right assigned for.
> > >
> > > Is this correct, this is telling me that smithly has attemped to logon
> to
> > > 10.10.100.100?
> > >
> > >
> >
> >
>
>



Relevant Pages

  • Re: Stand alone Win2003 Standard w/ AD... how to allow users to login?
    ... If there any entries in the deny logon ... > right in the Domain Controller Security Policy that the user is a member ... > domain controller after making the change in Domain Controller Security ...
    (microsoft.public.windows.server.security)
  • Re: Auditing User logon/logoff events.
    ... u say in the document like i enabled "Account logon events" only in domain ... Then i am getting 672,673 event ids in my domain controllers event viewer. ... can see this log in domain controller security log. ...
    (microsoft.public.win2000.security)
  • Re: remote desktop rights on domain controller
    ... First of for domain controllers user rights must be configured in Domain ... Controller Security Policy - not local policy. ... The user right for logon ... Group on the domain controller if using Windows 2003. ...
    (microsoft.public.windows.server.security)
  • Re: How to remove a cached password?
    ... See if another domain user can logon to it or not, ... a domain controller is that it has incorrect dns settings. ... The login used on the laptop is the same ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Why allow log on locally" is not configured by default??
    ... To logon locally you would have to be sitting in front of the console or use ... There are two policy under admin tools -> domain controller security ... Domain Controller policy impacts ALL dc's in your network. ... asking it if it is ok that this user log onto this workstation, ...
    (microsoft.public.windows.server.active_directory)