I recently ran a security scan using mbsa 2.1 on one of my member servers. After the scan a local account used for printer scanning operations would not function until the password was reset. Upon further investigation I found the following event stamped multiple times in my Security Logs:Event Type:Failure AuditEvent Source:SecurityEvent Category:Account Management Event ID:627Date:11/6/2009Time:10:53:40 AMUser:XXXX\aXXXXXComputer:LocalHostDescription:Change Password Attempt:Target Account Name:ScannerTarget Domain:LocalHostTarget Account ID:LocalHost\ScannerCaller User Name:aXXXXXXCaller Domain:XXXXCaller Logon ID:(0x0,0x9B43AD)Privileges:-My understanding was thatmbsa checked if the account was locked out and reset the account, but I have never seen it make an attempt to change the password. Does anyone have insight into this issue?Thanks.

I just decided to no longer scan with the password option checked. We enforce a very strict password policy and this has been easy to give as proof of compliance in audits. An interesting note however, I scanned a test machine several times with the same parameters as above and could not duplicate the failure. Al

This is a link where I've found that this message is generated for every account after the run of MBSA on a Web Server. The link is the following: http://www.eventid.net/display.asp?eventid=627&eventno=212&source=Security&phase=1 The scan you performed was on a Web Server? Best regards.

The scan was performed on a file and print server. I wasn't so much concerned with the actual event as much as I was concerned with the production stopage because the scan account needed to be reset. I have since created a domain account for this application and have not received any further problems.

OK, appearently MBSA is sometimes in conflit with other services. Concerning accounts, do not use MBSA password option. Just make sure you are using strong passwords and this is enough. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread. Best regards.