Failure Audit

G

Guest

I am getting the following in the DC event log 4 times every ten minutes:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 10/29/2004
Time: 10:53:41 AM
User: NT AUTHORITY\SYSTEM
Computer: MAS200
Description:
The logon to account: mooret
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: TIM-MOBILE
failed. The error code was: 3221225586

The mooret account has been disabled, but I have no idea what is running on
the TIM-MOBILE workstation that is trying to logon to the DC. The person who
used to have that machine was indeed mooret, but there are no services
running on that workstation that use that account.

How can I find out what it is and how to stop it. The workstation in
question is running XP Pro.

Thanks,
Bob
 
S

Steven L Umbach

You might try to temporarily enable auditing of process tracking on that
computer to see if there is a process shown at the same time that the logon
failure is enabled. Mapped drives with persistent connections, Scheduled
Tasks, or applications that need to use that user account are other
possibilities. Look in the Event Viewer of that computer to see if any error
events are recorded that may provide a clue. If still no clue see the link
below on downloading and using ALockout.dll. After installing it check it's
log for a process that is using the user's credentials at the same time as
the failed account logon events occur on the domain controller. --- Steve

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
 
G

Guest

Thanks Steven! I'll give those a try.

Steven L Umbach said:
You might try to temporarily enable auditing of process tracking on that
computer to see if there is a process shown at the same time that the logon
failure is enabled. Mapped drives with persistent connections, Scheduled
Tasks, or applications that need to use that user account are other
possibilities. Look in the Event Viewer of that computer to see if any error
events are recorded that may provide a clue. If still no clue see the link
below on downloading and using ALockout.dll. After installing it check it's
log for a process that is using the user's credentials at the same time as
the failed account logon events occur on the domain controller. --- Steve

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Failure Audit 1
Failure Audits in Event log question 1
Unexplained 540 Events in Security log on W2K workstation in a dom 0
event id 675, 681, 529 every 2, 2.5 minutes 2
change administrator password 1
Security Log Help 9
IP address of failed logons in Windows 2003 Server 2
Event 529 and 681 5

Top