Re: Can not figure out why?
- From: "Kurt" <kurtdillard@xxxxxxx>
- Date: Mon, 10 Mar 2008 20:25:00 -0200
Did you log off and log back on? If you changed the account name without re-establishing all of your network sessions the PC where you logged in is going to be sending cached credentials that conflict with what's now stored on the domain controllers.
--
Regards,
Kurt Dillard
Want some good security information? Check out some of my recent work...
• NIST Special Publication 800-28 Version 2, Guidelines on Active Content and Mobile Code (reviewer):
http://csrc.nist.gov/publications/PubsSPs.html#800-28_Version2
• Windows Server 2008 Security Resource Kit (coauthor):
http://www.microsoft.com/MSPress/books/11841.aspx
• Windows Server 2008 Security Guide on TechNet (coauthor):
www.microsoft.com/wssg
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:DD062C35-6942-4E04-ABFB-D1E145A93B1E@xxxxxxxxxxxxxxxx
Thanks for the help..
I can not find any scheduled task running at administrator. Why did only
this exchange server get security event 629 and 680 every second?
Any ideas?
Thank you.
"Lanwench [MVP - Exchange]" wrote:
John <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi all,
>
> We just rename the build-in administrator account and got tons of
> failure audit on the security log as follows:
> _______________________________________
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 3/10/2008
> Time: 4:02:06 PM
> User: NT AUTHORITY\SYSTEM
> Computer: domain-controller-name
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: administrator
> Domain: US
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: exchange-server-name
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: 192.168.10.4
> Source Port: 53185
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.
> ________________________________________________
>
> I checked all service and none of service uses administrator account
> to logon. Can anyone help me where I should go to look at? BTW, we
> are at windows 2000 native level with mixed windows 2003 &windows
> 2000 DCs and Two node A/P clustering exchange 2003 SP2) Did I break
> anything by renaming domain built-in administrator account?
>
> Thank you.
Scheduled tasks? Something on another server?
Rrenaming the administrator account shouldn't cause problems - but don't
think it gives you any real security benefit. Any hacker worth his or her
salt is looking for the SID, not the name. I'm not a great believer in
security by obscurity.
- Follow-Ups:
- Re: Can not figure out why?
- From: John
- Re: Can not figure out why?
- References:
- Re: Can not figure out why?
- From: Lanwench [MVP - Exchange]
- Re: Can not figure out why?
- From: John
- Re: Can not figure out why?
- Prev by Date: Re: Local Admin for Desktop users
- Next by Date: Browsing stopped
- Previous by thread: Re: Can not figure out why?
- Next by thread: Re: Can not figure out why?
- Index(es):
Relevant Pages
|
