Logins coming from macosx

[James]

Hello,
I am getting failure logins from a macosx machine on my
netowrk. when looking at that mac machine I dont see why
its logging in with that account. anyone have any ideas?

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 7/14/2004
Time: 2:46:19 PM
User: NT AUTHORITY\SYSTEM
Computer: EDOCMAIN
Description:
The logon to account: tedler
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: ADMINISTRATORS-COMPUTER
failed. The error code was: 3221225578
-------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/14/2004
Time: 2:46:19 PM
User: NT AUTHORITY\SYSTEM
Computer: EDOCMAIN
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: tedler
Domain: EDOC
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: ADMINISTRATORS-COMPUTER
-----------------------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 7/14/2004
Time: 2:45:19 PM
User: NT AUTHORITY\SYSTEM
Computer: EDOCMAIN
Description:
The logon to account: tedler
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: ADMINISTRATORS-COMPUTER
failed. The error code was: 3221225578

 

[Nathan]

-----Original Message-----
Hello,
I am getting failure logins from a macosx machine on my
netowrk. when looking at that mac machine I dont see why
its logging in with that account. anyone have any

ideas?

http://support.microsoft.com/default.aspx?scid=kb;en-
us;140714

It could just be a file/printe share that another user
tried to access from the Mac workstation. Most likely the
account is disabled. Did the user "tedler" get removed or
disabled recently?

 

[Nathan]

The user tedler has not been disabled or removed. This

access attempts are happening over and over and keep
locking the tedler account.

OK, it was locked already in the event log you pasted,
that explains it.

I have rebooted the mac
machine and made sure it wasnt trying to access any
shares. Also I noticed it was using ntlm auth. I cant
figure out why it keeps trying to connect.

It is trying to access something on the server. Try
getting the tedler user to reset his password to the
previous password and tracking the users sessions and open
files on the server. Of course get "tedler" to log off of
any valid sessions and shut those systems down befor
trying to track it.

It could be something as smiple as a printer or folder
share. How/Where does Mac store any "recently accessed
files" links? Windows uses "Recent Documents" that
stores .lnk files that are shortcuts to the true file. If
an LNK uses a UNC path, it can hold some of the logon
credentials as well. Some kind of link exists to this Mac
computer, it's not doing it randomly, we can agree on that
right?

It has been too long since I've played with a Mac, but
hopefully I've given you an idea of what to look for.
Nobody else seems to want to touch this one anyway.

Good Luck,

Nathan

 

[James]

Looks like it was from a smb print share. It was using an
old password from when I installed it. weird thing is
that I changed domain passwords like a month ago and
decied to show up yesterday

 

[Nathan]

Looks like it was from a smb print share. It was using
an

old password from when I installed it. weird thing is
that I changed domain passwords like a month ago and
decied to show up yesterday

Yep, exactly what I was looking for.

Glad my pointers helped