Re: Can not figure out why?
- From: John <John@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 11 Mar 2008 07:29:00 -0700
Thanks for your help.
I did log off and log back on after renaming buildin adminbistrator. I do
not get is that only the exchange server generated 629, 672 and 680 event ids
every second on the domain controllers. Do I need to reset the security
channel between the exchange server and domain controller?
"Kurt" wrote:
Did you log off and log back on? If you changed the account name without.
re-establishing all of your network sessions the PC where you logged in is
going to be sending cached credentials that conflict with what's now stored
on the domain controllers.
--
Regards,
Kurt Dillard
Want some good security information? Check out some of my recent work...
• NIST Special Publication 800-28 Version 2, Guidelines on Active Content
and Mobile Code (reviewer):
http://csrc.nist.gov/publications/PubsSPs.html#800-28_Version2
• Windows Server 2008 Security Resource Kit (coauthor):
http://www.microsoft.com/MSPress/books/11841.aspx
• Windows Server 2008 Security Guide on TechNet (coauthor):
www.microsoft.com/wssg
"John" <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DD062C35-6942-4E04-ABFB-D1E145A93B1E@xxxxxxxxxxxxxxxx
Thanks for the help.
I can not find any scheduled task running at administrator. Why did only
this exchange server get security event 629 and 680 every second?
Any ideas?
Thank you.
"Lanwench [MVP - Exchange]" wrote:
John <John@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
Hi all,
We just rename the build-in administrator account and got tons of
failure audit on the security log as follows:
_______________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/10/2008
Time: 4:02:06 PM
User: NT AUTHORITY\SYSTEM
Computer: domain-controller-name
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: administrator
Domain: US
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: exchange-server-name
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.10.4
Source Port: 53185
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
________________________________________________
I checked all service and none of service uses administrator account
to logon. Can anyone help me where I should go to look at? BTW, we
are at windows 2000 native level with mixed windows 2003 &windows
2000 DCs and Two node A/P clustering exchange 2003 SP2) Did I break
anything by renaming domain built-in administrator account?
Thank you.
Scheduled tasks? Something on another server?
Rrenaming the administrator account shouldn't cause problems - but don't
think it gives you any real security benefit. Any hacker worth his or her
salt is looking for the SID, not the name. I'm not a great believer in
security by obscurity.
- References:
- Re: Can not figure out why?
- From: Lanwench [MVP - Exchange]
- Re: Can not figure out why?
- From: John
- Re: Can not figure out why?
- From: Kurt
- Re: Can not figure out why?
- Prev by Date: Re: Security Log - [WP]
- Next by Date: Signle-login-account sharing for both Parent and Child AD servers
- Previous by thread: Re: Can not figure out why?
- Next by thread: Re: Can not figure out why?
- Index(es):
Relevant Pages
|
