advapi failed login locking account

F

feather1079

I am having a problem with my account getting locked out. I ran a query
through our domain's audit logs and it shows my personal domain admin account
failing login:

Logon Failure:
Reason: Unknown user name or bad password
User Name: my account
Domain: our domain
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: random workstation

It logs a failure everyday at the same time but each occurance is for a
different workstation. I have not tried to login at any of these workstations
as they are at different sites from the one I work at.

Judging from the fact the time is identical on each event I am assuming it
is a program running that is causing it rather than somebody physically at
the device. Any automated task would not have been setup with my account for
authentication.

Is there a way I can tell where this login attempts are originating from?
Any other ideas?
 
N

nass

feather1079 said:
I am having a problem with my account getting locked out. I ran a query
through our domain's audit logs and it shows my personal domain admin account
failing login:

Logon Failure:
Reason: Unknown user name or bad password
User Name: my account
Domain: our domain
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: random workstation

It logs a failure everyday at the same time but each occurance is for a
different workstation. I have not tried to login at any of these workstations
as they are at different sites from the one I work at.

Judging from the fact the time is identical on each event I am assuming it
is a program running that is causing it rather than somebody physically at
the device. Any automated task would not have been setup with my account for
authentication.

Is there a way I can tell where this login attempts are originating from?
Any other ideas?


It is most likely an application/Av runing with/under a local
account/network account and causing this error to be logged or you are using
a ploicy to enforce user to change their password after a period of time and
they didn't!
Please read these info and there are some tool read about them first then
see which one will help to pin point the culprit in this scenario!
Event Message:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/w2000Msgs/5410.mspx?mfr=true

http://www.secnewsgroups.net/group/microsoft.public.win2000.security/topic573.aspx
http://www.pcreview.co.uk/forums/thread-250761.php

NETDEVIL.12 (NetDevil 1.2) VIRUS.
http://www.liutilities.com/products/wintaskspro/processlibrary/advapi/
Logon Process is ADVAPI. ADVAPI is the DLL for advanced Windows api's
http://blogs.msdn.com/puneetgupta/a...name-or-bad-password-inetinfo-exe-advapi.aspx
Unknown user name or bad password
http://forums11.itrc.hp.com/service...447626+1221682361219+28353475&threadId=109441

http://forums.microsoft.com/MSDN/ShowPost.aspx?PostID=302271&SiteID=1
You can use Wireshark to analyze your Traffics:
http://www.wireshark.org/
PsTools v2.44
http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx
Insight for Active Directory v1.01-real-time monitoring tool aimed at
troubleshooting Active Directory client applications
http://technet.microsoft.com/en-us/sysinternals/bb897539.aspx
Scan file shares on your network and view their security settings to close
security holes.

TCPView
http://technet.microsoft.com/en-us/sysinternals/bb897442.aspx
No harm of runing a through scan on the machine and the server to make sure
all clean. Also use an offline scanner beside the native installed AV on the
machine and the server to get a clear picture on how clean the network!
HTH,
nass
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top