We just setup a two node Windows 2012 Hyper V cluster.  Everything is working correctly, but in the Security log on both nodes, we're getting Event ID's 4738 and 4724 every 3 minutes for the built in CLIUSR (Failover Cluster Local Identity) that gets created with the cluster (there's a local CLIUSR account on each node).  Because we have an application that parses the security logs and emails us about user account changes, we're getting spammed because of this.  Does anyone know if this is normal behavior for that CLIUSR account?  Any way to suppress this?  On the account properties, "User cannot change password" and "Password never expires" are both checked.  I appreciate any insights people might have.  Thanks

Hi,

The event log is generated because Audit policy is set:

Computer configuration->policies->windows settings->security settings->local policies->audit policy
Audit account management:Success

So if it is not on purpose you could simply disable it.

However it should not be a normal behavior so you may still need to check what's the exact cause. 

Please let us know if there is any progress.

No there's no progress.  Yes, we can supress the events, but we're looking for the cause of the events and it seems no one has anything on that.  

I was wondering if you where able to find out why the CLIUSR password was being changed every 3 minutes?

Hi,

Did somebody find out what is causing this problem?

Regards

Aleksandar