Event ID 642, 627, 644, 671 back-to-back-to-back on local accounts once a week

Once a week, usually on the weekend around midnight or so, I have a Windows 2003 server that logs the following events back-to-back-to-back (within span of about 1 minute).

642 (Success) - User Account Changed
627 (Failure) - Change Password Attempt
644 (Success) - User Account Locked Out
671 (Success) - User Account Unlocked

The events happen for each local account including Administrator, Guest, IWAM_, IUSR_, SUPPORT_, ASPNET, etc. successively.

I've checked for any scheduled tasks or other processes that might be firing off and causing this, but can't find any correlation.  It doesn't happen at the same time every time.  It usually happens over the weekend, but not always.

Any ideas?
seekoswmAsked:
Who is Participating?
 
seekoswmConnect With a Mentor Author Commented:
Well, after much research today, I've been able to track it down to a Microsoft Baseline Security Analyzer (MBSA) v1.2 scan that appears to be running.  I'm not sure why it is running at random intervals, but I ran it manually and got the same series of events I've been getting on the weekends.

I found the following event in the Application log (around the time of the pervious failures) which tipped me off:

Event Type:      Information
Event Source:      MBSA
Event Category:      None
Event ID:      1
Date:            11/9/2008
Time:            12:30:51 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER1
Description:
Security analysis complete.
Scanned from 192.168.0.10.
Microsoft Baseline Security Analyzer version 1.2.3316.1.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.