Event ID 529 & 680 Every 10 Minutes on the Dot for a domain user
On my company webserver which is also a front end for exchange web portal a certain domain user is appearing in the security log every 10 minutes with 2 failure audits. Because of this after 3 attempts (as per our policy) the users account gets locked
out. I have NO idea what in the world is doing It. I've been all over the internet trying to figure out what to do. Here are the exact entries in the audit log.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 12/13/2011
Time: 10:10:52 AM
User: NT AUTHORITY\SYSTEM
Computer: <ServerName>
Description:
Logon Failure:
Reason:
Unknown user name or bad password
User Name:
<UserName>
Domain:
Logon Type:
3
Logon Process:
Advapi
Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name:
<ServerName>
Caller User Name:
<ServerName>$
Caller Domain:
ADMIN
Caller Logon ID:
(0x0,0x3E7)
Caller Process ID:
1888
Transited Services:
-
Source Network Address:
-
Source Port:
-
That one is ALWAYS accompanied by this other one.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 12/13/2011
Time: 10:10:52 AM
User: NT AUTHORITY\SYSTEM
Computer: <ServerName>
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: <UserName>
Source Workstation: <ServerName>
Error Code: 0xC0000064
I've check both this person's workstation (which is windows 7) for viruses and spyware and it looks clean. I've checked the server for viruses and spyware and it also looks clean. I've deleted everything out of her credential manager on her computer.
I've checked the processes and nothing looks weird on the server or her machine. Please help!
December 14th, 2011 10:32am
This one may help.
http://eventid.net/display.asp?eventid=529&eventno=1&source=Security&phase=1
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Free Windows Admin Tool Kit Click here and download it now
December 25th, 2011 7:11pm
do you have any 644 events?
some useful articles (the keywords are account+lockout):
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
http://esense.be/33/2010/01/11/how-to-troubleshoot-account-lockouts/Don
December 25th, 2011 7:40pm