On my company webserver which is also a front end for exchange web portal a certain domain user is appearing in the security log every 10 minutes with 2 failure audits. Because of this after 3 attempts (as per our policy) the users account gets locked out. I have NO idea what in the world is doing It. I've been all over the internet trying to figure out what to do. Here are the exact entries in the audit log. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 12/13/2011 Time: 10:10:52 AM User: NT AUTHORITY\SYSTEM Computer: <ServerName> Description: Logon Failure: Reason: Unknown user name or bad password User Name: <UserName> Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: <ServerName> Caller User Name: <ServerName>$ Caller Domain: ADMIN Caller Logon ID: (0x0,0x3E7) Caller Process ID: 1888 Transited Services: - Source Network Address: - Source Port: - That one is ALWAYS accompanied by this other one. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 12/13/2011 Time: 10:10:52 AM User: NT AUTHORITY\SYSTEM Computer: <ServerName> Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: <UserName> Source Workstation: <ServerName> Error Code: 0xC0000064 I've check both this person's workstation (which is windows 7) for viruses and spyware and it looks clean. I've checked the server for viruses and spyware and it also looks clean. I've deleted everything out of her credential manager on her computer. I've checked the processes and nothing looks weird on the server or her machine. Please help!

This one may help. http://eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1 Regards, Dave Patrick .... Microsoft Certified Professional Microsoft MVP [Windows]

do you have any 644 events? some useful articles (the keywords are account+lockout): http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx http://esense.be/33/2010/01/11/how-to-troubleshoot-account-lockouts/Don