seekoswm
asked on
Event ID 642, 627, 644, 671 back-to-back-to-back on local accounts once a week
Once a week, usually on the weekend around midnight or so, I have a Windows 2003 server that logs the following events back-to-back-to-back (within span of about 1 minute).
642 (Success) - User Account Changed
627 (Failure) - Change Password Attempt
644 (Success) - User Account Locked Out
671 (Success) - User Account Unlocked
The events happen for each local account including Administrator, Guest, IWAM_, IUSR_, SUPPORT_, ASPNET, etc. successively.
I've checked for any scheduled tasks or other processes that might be firing off and causing this, but can't find any correlation. It doesn't happen at the same time every time. It usually happens over the weekend, but not always.
Any ideas?
642 (Success) - User Account Changed
627 (Failure) - Change Password Attempt
644 (Success) - User Account Locked Out
671 (Success) - User Account Unlocked
The events happen for each local account including Administrator, Guest, IWAM_, IUSR_, SUPPORT_, ASPNET, etc. successively.
I've checked for any scheduled tasks or other processes that might be firing off and causing this, but can't find any correlation. It doesn't happen at the same time every time. It usually happens over the weekend, but not always.
Any ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.