Jump to content

Domain Account Lockout

touchstone_81

By touchstone_81
in Windows 2000/2003/NT4

 Share

Recommended Posts

touchstone_81

touchstone_81

Posted
Posted

For the last couple of weeks my domain account is constantly getting locked out.

I used eventcombe and found the source to be a standalone server not part of the domain.

after looking at the security event logs on source server " serverA" i found numerous "552 event ID's"

these messages suggest process with PID 712 is making several connections to all member servers in the domain.

712 in taskmgr corresponds to "svchost /Network Service" with remote procedure call as its sole child process

i have tried numerous things to figure out what is calling this process but no luck so far.Recreated my profile unmapped all network drives checked scheduled tasks, scripts etc.

This is really driving me nuts so if somebody can help me out with this i would be eternally gratefull!

Event Type: Success Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 552

Date: 1/20/2010

Time: 6:04:33 AM

User: NT AUTHORITY\SYSTEM

Computer: ServerA

Description:

Logon attempt using explicit credentials:

Logged on user:

User Name: ServerA$

Domain: WORKGROUP

Logon ID: (0x0,0x3E7)

Logon GUID: -

User whose credentials were used:

Target User Name: "my username"

Target Domain: "Domain Name"

Target Logon GUID: -

Target Server Name: Member Server

Target Server Info: Member server

Caller Process ID: 712

Source Network Address: -

Source Port: -

Link to comment
Share on other sites

Tripredacus

Tripredacus

Posted
Posted

If you have changed your password lately, and have programs that use auto-logon, you can have this problem. For example, my email client automatically goes out and get my email. One time I changed my domain password and was using a different computer. Then my account kept getting locked out and it took me a while to realise my other computer was trying to get email with the old password.

Link to comment
Share on other sites
touchstone_81

touchstone_81

Posted
  • Author
Posted

yeah i suppose that could happen to people but in m case the exchange is in a seperate domain seperate subnet so we can safely rule that out.Its just that i am finding it difficult to identify whats calling this "svchost - network service" .

i mean something i sobviously telling it to go out on the network and do something just cannot figure out what.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...