|
Posted by Roger Abell [MVP] on April 4, 2006, 11:36 am
Please log in for more thread options The account named "Administrator" is unique per machine, except
for domain controllers where it is the same on them all.
If you have used the domain\Administrator account on machines
other than domain controllers keep in mind that this is not the
Administrators account defined on those machines.
So, by renaming you really only need to look at one machine,
or at the domain controllers, in order to see the scope of impact.
Go to microsoft.com/downloads and search on account lockout
as there is a package of utilities that can help you track down the
origin of the authentication attempts that are locking the account.
> I'm leary of renaming my admin account as there are a whole lot of
> services that run as administrator on alot of different servers and
> don't want to spend the entire week troubleshooting why a particular
> service doesn't work. I'm not saying I won't do it if I have to, it's
> just not something I'm really looking forward to.
>
> That said, here is some real info... (sorry, I was trying to protect
> the innocent in my previous post)
>
> ---------------------------------------------------------------------
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 675
> Date: 4/4/2006
> Time: 11:09:49 AM
> User: NT AUTHORITY\SYSTEM
> Computer: EMJDC
> Description:
> Pre-authentication failed:
> User Name: administrator
> User ID: EMJCORP\administrator
> Service Name: krbtgt/emjcorp.com
> Pre-Authentication Type: 0x2
> Failure Code: 0x18
> Client Address: 192.168.155.10
>
-----------------------------------------------------------------------------------------
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 680
> Date: 4/4/2006
> Time: 10:55:52 AM
> User: NT AUTHORITY\SYSTEM
> Computer: EMJDC
> Description:
> Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> Logon account: administrator
> Source Workstation: EMJSACRAMENTO
> Error Code: 0xC0000234
>
------------------------------------------------------------------------------------------------------------
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 672
> Date: 4/4/2006
> Time: 10:06:08 AM
> User: NT AUTHORITY\SYSTEM
> Computer: EMJDC
> Description:
> Authentication Ticket Request:
> User Name: administrator
> Supplied Realm Name: EMJCORP
> User ID: -
> Service Name: krbtgt/EMJCORP
> Service ID: -
> Ticket Options: 0x40810010
> Result Code: 0x12
> Ticket Encryption Type: -
> Pre-Authentication Type: -
> Client Address: 192.168.135.10
> Certificate Issuer Name:
> Certificate Serial Number:
> Certificate Thumbprint:
>
----------------------------------------------------------------------------------------------------
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Account Logon
> Event ID: 673
> Date: 4/4/2006
> Time: 9:03:17 AM
> User: NT AUTHORITY\SYSTEM
> Computer: EMJDC
> Description:
> Service Ticket Request:
> User Name: administrator@EMJCORP.COM
> User Domain: EMJCORP.COM
> Service Name: cifs/emjdc
> Service ID: -
> Ticket Options: 0x40810000
> Ticket Encryption Type: -
> Client Address: 192.168.125.202
> Failure Code: 0x12
> Logon GUID: -
> Transited Services: -
>
--------------------------------------------------------------------------------------------------------------------
>
> I continue to have my admin account locked out and I believe it is
> because of a service or program running under the old password, but
> can't determine which service, program or machine. Thanks,
> Tim
>
| 
XML Sitemap