S
spy
We are having issues with some user accounts locking. It's very odd.
I'd like to get some feedback on them, thank you
I think the following Event's maybe related.
PS: I removed specific names for security reasons.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/12/2008
Time: 9:12:52 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Pre-authentication failed:
User Name: XXX
User ID: XXX\User
Service Name: krbtgt/xxx.INC
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.1.13.23
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 3/12/2008
Time: 9:09:24 AM
User: NT AUTHORITY\SYSTEM
Computer: DARIEN-DC2
Description:
Authentication Ticket Request:
User Name: user
Supplied Realm Name: domain name
User ID: -
Service Name: krbtgt/xxx
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 10.196.10.158
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 3/12/2008
Time: 9:08:20 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.196.10.12
Source Port: 1090
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 3/12/2008
Time: 9:07:36 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x40800000
Ticket Encryption Type: -
Client Address: 10.196.10.12
Failure Code: 0x25
Logon GUID: -
Transited Services: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/12/2008
Time: 9:07:14 AM
User: domain\user
Computer: DC1
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: computer
Object Name: CN=xxx,CN=Computers,DC=domain name,DC=com
Handle ID: -
Primary User Name: DC1$
Primary Domain: ZOTOS-A
Primary Logon ID: (0x0,0x3E7)
Client User Name: User$
Client Domain: Domain
Client Logon ID: (0x0,0x2C249147)
Accesses: Write Property
Properties:
---
Public Information
servicePrincipalName
computer
Additional Info:
Additional Info2:
Access Mask: 0x20
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 3/12/2008
Time: 8:37:11 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: user
Source Workstation: workstation
Error Code: 0xC0000071
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp
I'd like to get some feedback on them, thank you
I think the following Event's maybe related.
PS: I removed specific names for security reasons.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/12/2008
Time: 9:12:52 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Pre-authentication failed:
User Name: XXX
User ID: XXX\User
Service Name: krbtgt/xxx.INC
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.1.13.23
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 672
Date: 3/12/2008
Time: 9:09:24 AM
User: NT AUTHORITY\SYSTEM
Computer: DARIEN-DC2
Description:
Authentication Ticket Request:
User Name: user
Supplied Realm Name: domain name
User ID: -
Service Name: krbtgt/xxx
Service ID: -
Ticket Options: 0x40810010
Result Code: 0x6
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 10.196.10.158
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 537
Date: 3/12/2008
Time: 9:08:20 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.196.10.12
Source Port: 1090
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 3/12/2008
Time: 9:07:36 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x40800000
Ticket Encryption Type: -
Client Address: 10.196.10.12
Failure Code: 0x25
Logon GUID: -
Transited Services: -
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Directory Service Access
Event ID: 566
Date: 3/12/2008
Time: 9:07:14 AM
User: domain\user
Computer: DC1
Description:
Object Operation:
Object Server: DS
Operation Type: Object Access
Object Type: computer
Object Name: CN=xxx,CN=Computers,DC=domain name,DC=com
Handle ID: -
Primary User Name: DC1$
Primary Domain: ZOTOS-A
Primary Logon ID: (0x0,0x3E7)
Client User Name: User$
Client Domain: Domain
Client Logon ID: (0x0,0x2C249147)
Accesses: Write Property
Properties:
---
Public Information
servicePrincipalName
computer
Additional Info:
Additional Info2:
Access Mask: 0x20
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 3/12/2008
Time: 8:37:11 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: user
Source Workstation: workstation
Error Code: 0xC0000071
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp