I'm seeing a large number of failure audits - 680's followed by 529's The 529's state the attempt came from the exchange server, and don't provide a workstation or IP to help me identify the request. This exchange server has OWA and IMAP open to the public, so I am wondering if the failures are attempts to guess credentials. Here's a sample of what I'm seeing in the 529 Logon Failure: Reason: Unknown user name or bad password User Name: office Domain: Logon Type: 3 Logon Process: Advapi Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: EXCHSERVER Caller User Name: EXCHSERVER$ Caller Domain: GPDS Caller Logon ID: (0x0,0x3E7) Caller Process ID: 4220 Transited Services: - Source Network Address: - Source Port: - The Process ID points to Store.exe, which is how I determined exchange is doing it (this server is also a domain controller) Is there anything I can do to get to the bottom of this?

I don't follow the logic here - these accounts shouldn't be doing anything with WMI to query memberships, and the Process reporting the problem is Store.exe - not any script. These accounts exist but can't log onto the server to do anything. One of them shouldn't be accessing the server in any way other than the IMAP connector. If the exchange process is generating the 529's legitimately, what is it doing and why is it only doing that to 3 of more than 50 accounts.