Can not figure out why?

Discussion in 'Active Directory' started by John, Mar 10, 2008.

  1. John

    John Guest

    Hi all,

    We just rename the build-in administrator account and got tons of failure
    audit on the security log as follows:
    _______________________________________
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 3/10/2008
    Time: 4:02:06 PM
    User: NT AUTHORITY\SYSTEM
    Computer: domain-controller-name
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: administrator
    Domain: US
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: exchange-server-name
    Caller User Name: -
    Caller Domain: -
    Caller Logon ID: -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: 192.168.10.4
    Source Port: 53185


    For more information, see Help and Support Center at
    http://go.microsoft.com/fwlink/events.asp.
    ________________________________________________

    I checked all service and none of service uses administrator account to
    logon. Can anyone help me where I should go to look at? BTW, we are at
    windows 2000 native level with mixed windows 2003 &windows 2000 DCs and Two
    node A/P clustering exchange 2003 SP2) Did I break anything by renaming
    domain built-in administrator account?

    Thank you.
     
    John, Mar 10, 2008
    #1
    1. Advertisements

  2. Scheduled tasks? Something on another server?

    Rrenaming the administrator account shouldn't cause problems - but don't
    think it gives you any real security benefit. Any hacker worth his or her
    salt is looking for the SID, not the name. I'm not a great believer in
    security by obscurity.
     
    Lanwench [MVP - Exchange], Mar 10, 2008
    #2
    1. Advertisements

  3. John

    John Guest

    Thanks for the help.
    I can not find any scheduled task running at administrator. Why did only
    this exchange server get security event 629 and 680 every second?

    Any ideas?

    Thank you.
     
    John, Mar 10, 2008
    #3
  4. John

    Kurt Guest

    Did you log off and log back on? If you changed the account name without
    re-establishing all of your network sessions the PC where you logged in is
    going to be sending cached credentials that conflict with what's now stored
    on the domain controllers.

    --
    Regards,

    Kurt Dillard

    Want some good security information? Check out some of my recent work...
    • NIST Special Publication 800-28 Version 2, Guidelines on Active Content
    and Mobile Code (reviewer):
    http://csrc.nist.gov/publications/PubsSPs.html#800-28_Version2
    • Windows Server 2008 Security Resource Kit (coauthor):
    http://www.microsoft.com/MSPress/books/11841.aspx
    • Windows Server 2008 Security Guide on TechNet (coauthor):
    www.microsoft.com/wssg
     
    Kurt, Mar 10, 2008
    #4
  5. Is the account logged into more than one machine or is it running a service
    on the same machine? A user could have mapped drives to a resource from one
    machine, on a different machine he changes his password and then the first
    machine attempts to stay mapped to a drive and the password is no longer
    correct and eventually locks the user out. Or after a password is changed a
    service is running that attempts to authenticate with an old password.

    To help try and track down where the account is getting locked out use
    eventcombMT.exe from the Account Lockout tools found out Microsoft's
    website. Use the built in search AccountLockouts and search in the created
    text files for the user in question.

    http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


    You can also set the debug flag on NetLogon to track authentication. "This
    creates a text file on the PDC that can be examined to determine which
    clients are generating the bad password attempts."
    http://support.microsoft.com/kb/189541
    http://support.microsoft.com/kb/109626
     
    Paul Bergson [MVP-DS], Mar 11, 2008
    #5
  6. John

    John Guest

    Thanks for your help.

    I did log off and log back on after renaming buildin adminbistrator. I do
    not get is that only the exchange server generated 629, 672 and 680 event ids
    every second on the domain controllers. Do I need to reset the security
    channel between the exchange server and domain controller?
     
    John, Mar 11, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.