Re: Can not figure out why?

Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6CEA3914-0126-4C9B-8D25-E8BB7538D915@xxxxxxxxxxxxxxxx
Hi all,

We just rename the build-in administrator account and got tons of failure
audit on the security log as follows:
_______________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/10/2008
Time: 4:02:06 PM
User: NT AUTHORITY\SYSTEM
Computer: domain-controller-name
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: US
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: exchange-server-name
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.10.4
Source Port: 53185


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
________________________________________________

I checked all service and none of service uses administrator account to
logon. Can anyone help me where I should go to look at? BTW, we are at
windows 2000 native level with mixed windows 2003 &windows 2000 DCs and
Two
node A/P clustering exchange 2003 SP2) Did I break anything by renaming
domain built-in administrator account?

Thank you.



.

Relevant Pages

  • Re: Kerberos Problem with App Pool running as Domain Account
    ... SPNs registered for the DNS alias and the server name, ... account, perhaps IIS itself has to as well (instead of the IUSR_IISSERVER ... An error occurred during logon ... Caller User Name: IISSERVER$ ...
    (microsoft.public.inetserver.iis.security)
  • Re: Service principal name (SPN) / Active Directory Problem
    ... HOST/servername.domain.com SPNs ... I think it must be some custom user; the Identity is set to an account ... Event Category: Account Logon ... Caller User Name: - ...
    (microsoft.public.inetserver.iis.security)
  • IIS, Trend, Exhaustion, Permissions, Heelp!!!
    ... passwords using IIS and adsutil as in List 2. ... Logon Failure: ... Caller User Name: NETWORK SERVICE ... To reset the password for the IUSR_ComputerName account, ...
    (microsoft.public.windows.server.sbs)
  • Failed Logon Attempts
    ... It appears as though they hit the "admin" account & ... Logon account: admin ... Source Workstation: SERVER ... Caller User Name: SERVER$ ...
    (microsoft.public.windows.server.sbs)
  • Re: SMS_MP_CONTROL_MANAGER Issues
    ... Since installing SMS2003 service pack 2 I have been receiving the error ... Logon Failure: ... Caller User Name: - ... So after some more research it seems like the account SMS_SQL_RX_999 ...
    (microsoft.public.sms.admin)