touchstone_81 Posted January 20, 2010 Share Posted January 20, 2010 For the last couple of weeks my domain account is constantly getting locked out.I used eventcombe and found the source to be a standalone server not part of the domain.after looking at the security event logs on source server " serverA" i found numerous "552 event ID's"these messages suggest process with PID 712 is making several connections to all member servers in the domain.712 in taskmgr corresponds to "svchost /Network Service" with remote procedure call as its sole child processi have tried numerous things to figure out what is calling this process but no luck so far.Recreated my profile unmapped all network drives checked scheduled tasks, scripts etc.This is really driving me nuts so if somebody can help me out with this i would be eternally gratefull!Event Type: Success AuditEvent Source: SecurityEvent Category: Logon/Logoff Event ID: 552Date: 1/20/2010Time: 6:04:33 AMUser: NT AUTHORITY\SYSTEMComputer: ServerADescription:Logon attempt using explicit credentials: Logged on user: User Name: ServerA$ Domain: WORKGROUP Logon ID: (0x0,0x3E7) Logon GUID: - User whose credentials were used: Target User Name: "my username" Target Domain: "Domain Name" Target Logon GUID: - Target Server Name: Member Server Target Server Info: Member server Caller Process ID: 712 Source Network Address: - Source Port: - Link to comment Share on other sites More sharing options...
Tripredacus Posted January 20, 2010 Share Posted January 20, 2010 If you have changed your password lately, and have programs that use auto-logon, you can have this problem. For example, my email client automatically goes out and get my email. One time I changed my domain password and was using a different computer. Then my account kept getting locked out and it took me a while to realise my other computer was trying to get email with the old password. Link to comment Share on other sites More sharing options...
touchstone_81 Posted January 20, 2010 Author Share Posted January 20, 2010 yeah i suppose that could happen to people but in m case the exchange is in a seperate domain seperate subnet so we can safely rule that out.Its just that i am finding it difficult to identify whats calling this "svchost - network service" . i mean something i sobviously telling it to go out on the network and do something just cannot figure out what. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now