Failure Audit

[Guest spy]

We are having issues with some user accounts locking. It's very odd.

 

I'd like to get some feedback on them, thank you

 

I think the following Event's maybe related.

 

PS: I removed specific names for security reasons.

 

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 675

Date: 3/12/2008

Time: 9:12:52 AM

User: NT AUTHORITY\SYSTEM

Computer: DC1

Description:

Pre-authentication failed:

User Name: XXX

User ID: XXX\User

Service Name: krbtgt/xxx.INC

Pre-Authentication Type: 0x2

Failure Code: 0x18

Client Address: 10.1.13.23

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 672

Date: 3/12/2008

Time: 9:09:24 AM

User: NT AUTHORITY\SYSTEM

Computer: DARIEN-DC2

Description:

Authentication Ticket Request:

User Name: user

Supplied Realm Name: domain name

User ID: -

Service Name: krbtgt/xxx

Service ID: -

Ticket Options: 0x40810010

Result Code: 0x6

Ticket Encryption Type: -

Pre-Authentication Type: -

Client Address: 10.196.10.158

Certificate Issuer Name:

Certificate Serial Number:

Certificate Thumbprint:

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 537

Date: 3/12/2008

Time: 9:08:20 AM

User: NT AUTHORITY\SYSTEM

Computer: DC1

Description:

Logon Failure:

Reason: An error occurred during logon

User Name:

Domain:

Logon Type: 3

Logon Process: Kerberos

Authentication Package: Kerberos

Workstation Name: -

Status code: 0xC000006D

Substatus code: 0xC0000133

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: 10.196.10.12

Source Port: 1090

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 673

Date: 3/12/2008

Time: 9:07:36 AM

User: NT AUTHORITY\SYSTEM

Computer: DC1

Description:

Service Ticket Request:

User Name:

User Domain:

Service Name:

Service ID: -

Ticket Options: 0x40800000

Ticket Encryption Type: -

Client Address: 10.196.10.12

Failure Code: 0x25

Logon GUID: -

Transited Services: -

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Failure Audit

Event Source: Security

Event Category: Directory Service Access

Event ID: 566

Date: 3/12/2008

Time: 9:07:14 AM

User: domain\user

Computer: DC1

Description:

Object Operation:

Object Server: DS

Operation Type: Object Access

Object Type: computer

Object Name: CN=xxx,CN=Computers,DC=domain name,DC=com

Handle ID: -

Primary User Name: DC1$

Primary Domain: ZOTOS-A

Primary Logon ID: (0x0,0x3E7)

Client User Name: User$

Client Domain: Domain

Client Logon ID: (0x0,0x2C249147)

Accesses: Write Property

 

Properties:

---

Public Information

servicePrincipalName

computer

 

Additional Info:

Additional Info2:

Access Mask: 0x20

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp.

 

Event Type: Failure Audit

Event Source: Security

Event Category: Account Logon

Event ID: 680

Date: 3/12/2008

Time: 8:37:11 AM

User: NT AUTHORITY\SYSTEM

Computer: DC1

Description:

Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Logon account: user

Source Workstation: workstation

Error Code: 0xC0000071

 

 

For more information, see Help and Support Center at

http://go.microsoft.com/fwlink/events.asp