RE: Multiple Log In Attemps on SBiz DC
- From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
- Date: Fri, 07 Dec 2007 11:26:29 GMT
Hi Jason,
Thanks for your reply.
After your made clean boot, the event didn't appear again. It seems the
problem is caused by third party software. You can arrange time to disable
Trend Micro software to see if the problem will disappear. It so, we can
narrow down Trend Micro is the root cause. On how to remove your older
account information in Trend Micro, since that's third party product,
please contact the manufacture for more help. Thanks for your understanding.
If you need further assistance, please don't hesitate to let me know.
Best regards,
Robert Li(MSFT)
Microsoft CSS Online Newsgroup Support
Get Secure! - www.microsoft.com/security
=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.
Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.
For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.
Any input or comments in this thread are highly appreciated.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
<X-Tomcat-ID: 33757588
<References: <27FFDB5F-764F-421A-8C43-B56B2FB8DB83@xxxxxxxxxxxxx>
<smkJWzlNIHA.5204@xxxxxxxxxxxxxxxxxxxxxx>
<7EFDC1AF-0C5D-4830-8B9F-098CC978C4B3@xxxxxxxxxxxxx>
<VZMdbD7NIHA.4200@xxxxxxxxxxxxxxxxxxxxxx>
<MIME-Version: 1.0
<Content-Type: text/plain
<Content-Transfer-Encoding: 7bit
<From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
<Organization: Microsoft
<Date: Thu, 06 Dec 2007 03:34:19 GMT
<Subject: RE: Multiple Log In Attemps on SBiz DC
<X-Tomcat-NG: microsoft.public.windows.server.sbs
<Message-ID: <pPLLkj7NIHA.4200@xxxxxxxxxxxxxxxxxxxxxx>
<Newsgroups: microsoft.public.windows.server.sbs
<Lines: 135
<Path: TK2MSFTNGHUB02.phx.gbl
<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80338
<NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
<
<Hi Jason,
<
<Thanks for your reply.
<
<Based on my research, this issue may be caused by third party software.
<Please try a clean boot to have check. Clean boot will not affect you
<logging on via RDP, it only disable third party services.
<
<Note: When run the msconfig command, please click Services tab and select
<Hide All Microsoft Services and Disable All third party Services, not
<disabling All Microsoft Services.
<
<I researched your logs and found the following events:
<
<Event ID: 538
<Date: 12/5/2007
<Time: 4:59:13 PM
<Description:
<User Logoff:
< User Name: Norseld.Jason
< Domain: NORSELD
< Logon ID: (0x0,0x8B6D671)
< Logon Type: 10
<
<
<Event ID: 682
<Date: 12/5/2007
<Time: 4:59:02 PM
<Description:
<Session reconnected to winstation:
< User Name: norseld.jason
< Domain: NORSELD
< Logon ID: (0x0,0x8AD8D59)
< Session Name: RDP-Tcp#12
< Client Name: ELITE
< Client Address: x.x.x.x
<
<Event ID: 682
<Date: 12/5/2007
<Time: 4:59:02 PM
<
<Session reconnected to winstation:
< User Name: norseld.jason
< Domain: NORSELD
< Logon ID: (0x0,0x8AD8D59)
< Session Name: RDP-Tcp#12
< Client Name: ELITE
< Client Address: x.x.x.x
<
<All the user names are Norseld.Jason, not the Jason.surname as you said in
<the post. Logon Type is 10, this shows a user logged on to this computer
<remotely using Terminal Services or a Remote Desktop connection.
<
<Please let me know if you RDP to server with username: Norseld.Jason. If
<not, please reset the password for Norseld.Jason and try again. Also check
<the if x.x.x.x if IP address of your workstation.
<
<Based on my experience, the PRC over HTTP for Outlook and RDP feature will
<not cause potential network risk and is not the root cause of this issue.
<So it's not recommended to disable them.
<
<I am looking forward to hear from you.
<
<If you need further assistance, please don't hesitate to let me know.
<
<Best regards,
<
<Robert Li(MSFT)
<
<Microsoft CSS Online Newsgroup Support
<
<Get Secure! - www.microsoft.com/security
<
<=====================================================
<
<This newsgroup only focuses on SBS technical issues. If you have issues
<regarding other Microsoft products, you'd better post in the corresponding
<newsgroups so that they can be resolved in an efficient and timely manner.
<You can locate the newsgroup here:
<http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
<
<When opening a new thread via the web interface, we recommend you check
the
<"Notify me of replies" box to receive e-mail notifications when there are
<any updates in your thread. When responding to posts via your newsreader,
<please "Reply to Group" so that others may learn and benefit from your
<issue.
<
<Microsoft engineers can only focus on one issue per thread. Although we
<provide other information for your reference, we recommend you post
<different incidents in different threads to keep the thread clean. In
doing
<so, it will ensure your issues are resolved in a timely manner.
<
<For urgent issues, you may want to contact Microsoft CSS directly. Please
<check http://support.microsoft.com for regional support phone numbers.
<
<Any input or comments in this thread are highly appreciated.
<
<=====================================================
<
<This posting is provided "AS IS" with no warranties, and confers no rights.
<
<--------------------
<<X-Tomcat-ID: 24598932
<<References: <27FFDB5F-764F-421A-8C43-B56B2FB8DB83@xxxxxxxxxxxxx>
<<smkJWzlNIHA.5204@xxxxxxxxxxxxxxxxxxxxxx>
<<7EFDC1AF-0C5D-4830-8B9F-098CC978C4B3@xxxxxxxxxxxxx>
<<MIME-Version: 1.0
<<Content-Type: text/plain
<<Content-Transfer-Encoding: 7bit
<<From: v-robeli@xxxxxxxxxxxxxxxxxxxx (Robert Li [MSFT])
<<Organization: Microsoft
<<Date: Thu, 06 Dec 2007 02:36:47 GMT
<<Subject: RE: Multiple Log In Attemps on SBiz DC
<<X-Tomcat-NG: microsoft.public.windows.server.sbs
<<Message-ID: <VZMdbD7NIHA.4200@xxxxxxxxxxxxxxxxxxxxxx>
<<Newsgroups: microsoft.public.windows.server.sbs
<<Lines: 30
<<Path: TK2MSFTNGHUB02.phx.gbl
<<Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:80334
<<NNTP-Posting-Host: TOMCATIMPORT1 10.201.218.122
<<
<<From customer's e-mail:
<<
<<Hi Robert
<<Thanks for your reply.
<<Please find attached the security log files -the problematic account is
<<Jason.Vassos
<<
<<In answer to your questions:
<<1.) Remote admin was RDP
<<2.) Yes my account belongs to the domain admins account
<<3.) There are no stored user passwords on the server -have checked
nothing
<<to clear
<<4.) I have checked all of the services and none of them attempt to run
<<under my old account. Please let me know if you require me to follow this
<<step through fully -rung msconfig and then disable the micrsoft services
-
<<I didnt do this as I was unsure if I could remote desktop back in (my
only
<<way to do admin on the server at the moment - if a console session is
<<required i can try and make time to go onsite later this week.)
<<5.) I have checked and the scheduled tasks do not run under my disabled
<<account
<<
<<I have suggested that the use https OWA instead of RDPing into the server
<<to start an Outlook session.
<<Also have suggested implementing a VPN and disabling 3389 on the router
as
<<it just invites someone to have a crack.
<<
<<Thanks again for your - really appreciate it.
<<Regards
<<Jason Vassos
<<
<<
<
<
.
- Follow-Ups:
- RE: Multiple Log In Attemps on SBiz DC
- From: Robert Li [MSFT]
- RE: Multiple Log In Attemps on SBiz DC
- References:
- Multiple Log In Attemps on SBiz DC
- From: Jason V
- RE: Multiple Log In Attemps on SBiz DC
- From: Robert Li [MSFT]
- RE: Multiple Log In Attemps on SBiz DC
- From: Jason V
- RE: Multiple Log In Attemps on SBiz DC
- From: Robert Li [MSFT]
- RE: Multiple Log In Attemps on SBiz DC
- From: Robert Li [MSFT]
- Multiple Log In Attemps on SBiz DC
- Prev by Date: Re: SBS 2k3 and autoenrollment event 22 - domain controller certificate renewal
- Next by Date: Re: Backups Fail
- Previous by thread: RE: Multiple Log In Attemps on SBiz DC
- Next by thread: RE: Multiple Log In Attemps on SBiz DC
- Index(es):
Relevant Pages
|
