Re: Can not figure out why?

---

• From: "Lanwench [MVP - Exchange]" <lanwench@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Mon, 10 Mar 2008 16:51:39 -0400

---

John <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:

Hi all,

We just rename the build-in administrator account and got tons of
failure audit on the security log as follows:
_______________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/10/2008
Time: 4:02:06 PM
User: NT AUTHORITY\SYSTEM
Computer: domain-controller-name
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: US
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: exchange-server-name
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.10.4
Source Port: 53185


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
________________________________________________

I checked all service and none of service uses administrator account
to logon. Can anyone help me where I should go to look at? BTW, we
are at windows 2000 native level with mixed windows 2003 &windows
2000 DCs and Two node A/P clustering exchange 2003 SP2) Did I break
anything by renaming domain built-in administrator account?

Thank you.

Scheduled tasks? Something on another server?

Rrenaming the administrator account shouldn't cause problems - but don't
think it gives you any real security benefit. Any hacker worth his or her
salt is looking for the SID, not the name. I'm not a great believer in
security by obscurity.


.

---

• Follow-Ups:
  • Re: Can not figure out why?
    • From: John

• Prev by Date: Create 2500 Contacts excel with Hebrew
• Next by Date: Re: Recommendations for upgrading Windows 2000 AD in a lab environment
• Previous by thread: Create 2500 Contacts excel with Hebrew
• Next by thread: Re: Can not figure out why?
• Index(es):
  • Date
  • Thread

---

Relevant Pages change administrator password ... the Security Event Viewer. ... Is there a procedure to follow when changing the administrator password, ... Event Type: Failure Audit ... Logon Failure: ... (microsoft.public.win2000.security) Rogue Workstation? ... I noticed the following entries in the Security log of one of my Windows ... Event Type: Failure Audit ... The logon to account: Administrator ... (microsoft.public.windows.server.active_directory) Re: Help - RPC over http credential issue ... I am showing the following errors in my DC event security log: ... Event Type: Failure Audit ... Logon Failure: ... (microsoft.public.exchange.setup) Re: Security failures ... I send a copy of the text to the security people who contact the person at the noted workstation and tell them not to run scripts or programs which check every machine on every domain in the world. ... Event Type: Failure Audit ... An unexpected error occurred during logon ... (microsoft.public.win2000.general) Security failures ... I have been geeting the fallowing errors often in my security log. ... Event Type: Failure Audit ... An unexpected error occurred during logon ... (microsoft.public.win2000.general)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(17)