On one of our DC's we regularly get the following two security errors in the Security event log.
First message...
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 673
Date: 12-10-2008
Time: 18:26:12
User: NT AUTHORITY\SYSTEM
Computer: PRC42
Description:
Service Ticket Request:
User Name: PRC42$@PRC.LOCAL
User Domain: PRC.LOCAL
Service Name: host/prc42.prc.local
Service ID: -
Ticket Options: 0x40810000
Ticket Encryption Type: -
Client Address: 127.0.0.1
Failure Code: 0x12
Logon GUID: -
Transited Services: -
Same time...
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 532
Date: 12-10-2008
Time: 18:26:12
User: NT AUTHORITY\SYSTEM
Computer: PRC42
Description:
Logon Failure:
Reason: The specified user account has expired
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: PRC42
Caller User Name: PRC42$
Caller Domain: PRC
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 828
Transited Services: -
Source Network Address: -
Source Port: -
Another DC has the same problem, but this time the workstation name is PRC41 instead of PRC42. Same sequence of events (673, 532) and the mentioning of an expired account. I've made a list of expired accounts. Most of them are regular users, one of them is an administrator equivalent account.
How can we figure out what is causing this event and which account is causing it?
Start Free Trial
