hello all, how are you?

there are many failed log on in my windows server 2008 r2 event log. here is one example from my event viewer:
--start quote--
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name:
Account Domain: WORKGROUP
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: --random name--
Source Network Address: --random ip --
Source Port: 13960
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
--end quote--

these attempts are so many and periodically. sometimes they up to 30 attempts in only 1 minute, and it happens almost 24 hours nonstop

my question is: what is that and how to make it stop?

please kindly help me, thank you very much

regards,
sebastian

There is an amazing pack of free network admin tools. click here to download it

Hi,

Is there an unkown user attempt to logon the computer and provide the incorrect password?

in addition, this error may occur because the unknown user logon the service with bad password.




You should Locate from which computer account the User account is getting
locked and remove the schedueld task and services from that computer. Also you
need to make sure there are no network drive mapped with old credentials of the
user
Below is the simple way to check from which computer account is getting
locked
1. Download microsoft lockout status tool from below link


http://www.microsoft.com/en-us/download/details.aspx?id=15201

2. Install it on domain controller
3. Put the target name (user account which is getting locked) on target
tab
4.It will list out Date/time and DC on which account lock out events are
happening
5.Check the Latest date and time and DC name,. Login to the DC where the evet
is getting generated.
6.Go to security event------>search for 644 (microsoft Server 203) or 4740
(W2K8)----->open the event
7.It will list the account information and Computer name
from which account is gettng locked
8.Login to the computer and check for any services or schduled task

Hope this helps!

There is an amazing pack of free network admin tools. click here to download it

Hi,

Is there an unkown user attempt to logon the computer and provide the incorrect password?

in addition, this error may occur because the unknown user logon the service with bad password.




You should Locate from which computer account the User account is getting
locked and remove the schedueld task and services from that computer. Also you
need to make sure there are no network drive mapped with old credentials of the
user
Below is the simple way to check from which computer account is getting
locked
1. Download microsoft lockout status tool from below link


http://www.microsoft.com/en-us/download/details.aspx?id=15201

2. Install it on domain controller
3. Put the target name (user account which is getting locked) on target
tab
4.It will list out Date/time and DC on which account lock out events are
happening
5.Check the Latest date and time and DC name,. Login to the DC where the evet
is getting generated.
6.Go to security event------>search for 644 (microsoft Server 203) or 4740
(W2K8)----->open the event
7.It will list the account information and Computer name
from which account is gettng locked
8.Login to the computer and check for any services or schduled task

Hope this helps!

There is an amazing pack of free network admin tools. click here to download it