Guest spy Posted March 12, 2008 Posted March 12, 2008 We are having issues with some user accounts locking. It's very odd. I'd like to get some feedback on them, thank you I think the following Event's maybe related. PS: I removed specific names for security reasons. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 3/12/2008 Time: 9:12:52 AM User: NT AUTHORITY\SYSTEM Computer: DC1 Description: Pre-authentication failed: User Name: XXX User ID: XXX\User Service Name: krbtgt/xxx.INC Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 10.1.13.23 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 672 Date: 3/12/2008 Time: 9:09:24 AM User: NT AUTHORITY\SYSTEM Computer: DARIEN-DC2 Description: Authentication Ticket Request: User Name: user Supplied Realm Name: domain name User ID: - Service Name: krbtgt/xxx Service ID: - Ticket Options: 0x40810010 Result Code: 0x6 Ticket Encryption Type: - Pre-Authentication Type: - Client Address: 10.196.10.158 Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 537 Date: 3/12/2008 Time: 9:08:20 AM User: NT AUTHORITY\SYSTEM Computer: DC1 Description: Logon Failure: Reason: An error occurred during logon User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Status code: 0xC000006D Substatus code: 0xC0000133 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.196.10.12 Source Port: 1090 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 673 Date: 3/12/2008 Time: 9:07:36 AM User: NT AUTHORITY\SYSTEM Computer: DC1 Description: Service Ticket Request: User Name: User Domain: Service Name: Service ID: - Ticket Options: 0x40800000 Ticket Encryption Type: - Client Address: 10.196.10.12 Failure Code: 0x25 Logon GUID: - Transited Services: - For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Failure Audit Event Source: Security Event Category: Directory Service Access Event ID: 566 Date: 3/12/2008 Time: 9:07:14 AM User: domain\user Computer: DC1 Description: Object Operation: Object Server: DS Operation Type: Object Access Object Type: computer Object Name: CN=xxx,CN=Computers,DC=domain name,DC=com Handle ID: - Primary User Name: DC1$ Primary Domain: ZOTOS-A Primary Logon ID: (0x0,0x3E7) Client User Name: User$ Client Domain: Domain Client Logon ID: (0x0,0x2C249147) Accesses: Write Property Properties: --- Public Information servicePrincipalName computer Additional Info: Additional Info2: Access Mask: 0x20 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 3/12/2008 Time: 8:37:11 AM User: NT AUTHORITY\SYSTEM Computer: DC1 Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: user Source Workstation: workstation Error Code: 0xC0000071 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
Recommended Posts