Event ID 642, 627, 644, 671 back-to-back-to-back on local accounts once a week
Posted on 2008-11-10
Once a week, usually on the weekend around midnight or so, I have a Windows 2003 server that logs the following events back-to-back-to-back (within span of about 1 minute).
642 (Success) - User Account Changed
627 (Failure) - Change Password Attempt
644 (Success) - User Account Locked Out
671 (Success) - User Account Unlocked
The events happen for each local account including Administrator, Guest, IWAM_, IUSR_, SUPPORT_, ASPNET, etc. successively.
I've checked for any scheduled tasks or other processes that might be firing off and causing this, but can't find any correlation. It doesn't happen at the same time every time. It usually happens over the weekend, but not always.