Re: Failure Audit

From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 10/29/04

• Next message: Steven L Umbach: "Re: NTFS Permissions question"
• Previous message: Steven L Umbach: "Re: What is the importance of deploying digital certificates on application servers in the domain ?"
• In reply to: Bob: "Failure Audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 29 Oct 2004 21:29:02 GMT

You might try to temporarily enable auditing of process tracking on that
computer to see if there is a process shown at the same time that the logon
failure is enabled. Mapped drives with persistent connections, Scheduled
Tasks, or applications that need to use that user account are other
possibilities. Look in the Event Viewer of that computer to see if any error
events are recorded that may provide a clue. If still no clue see the link
below on downloading and using ALockout.dll. After installing it check it's
log for a process that is using the user's credentials at the same time as
the failed account logon events occur on the domain controller. --- Steve

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

"Bob" <Bob@discussions.microsoft.com> wrote in message
news:34D1F9E7-B726-4E92-8199-EFC053C22FC4@microsoft.com...
>I am getting the following in the DC event log 4 times every ten minutes:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 681
> Date: 10/29/2004
> Time: 10:53:41 AM
> User: NT AUTHORITY\SYSTEM
> Computer: MAS200
> Description:
> The logon to account: mooret
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: TIM-MOBILE
> failed. The error code was: 3221225586
>
> The mooret account has been disabled, but I have no idea what is running
> on
> the TIM-MOBILE workstation that is trying to logon to the DC. The person
> who
> used to have that machine was indeed mooret, but there are no services
> running on that workstation that use that account.
>
> How can I find out what it is and how to stop it. The workstation in
> question is running XP Pro.
>
> Thanks,
> Bob
>
>

• Next message: Steven L Umbach: "Re: NTFS Permissions question"
• Previous message: Steven L Umbach: "Re: What is the importance of deploying digital certificates on application servers in the domain ?"
• In reply to: Bob: "Failure Audit"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: assign new user to workstation ... I understand that you create a new account ... workstation thru the Add User Wizard. ... we can logon each workstation with each domain user ... What error do you get when you try to logon OWA? ... (microsoft.public.windows.server.sbs) Re: assign new user to workstation ... I do not think the underscore in the account name will cause ... must change password at next logon" is enabled. ... After the user logon workstation and change the ... Microsoft CSS Online Newsgroup Support ... (microsoft.public.windows.server.sbs) The local policy of this system does not permit you to logon interactively ... workstation administrator rights. ... computer joins a domain - the domain administrator becomes ... the local administrator has logon rights to the sytem. ... > administrator account nor with my alternative account ... (microsoft.public.win2000.security) Re: auditing 1 AD account ... Blank workstation name usually means the login is coming from a non-windows ... > workstation name the user is trying to logon at, ... >>password, locking out the account. ... (microsoft.public.win2000.security) Re: pls help ... The logon to account: ibm ... from workstation: ASYLUM ... The error code was: 3221225572 ... (microsoft.public.win2000.security)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint