What is locking out my windows accout while i'm using broadband to access my corporate network? (read on...)

3x a minute my DC security event log logs the following for one of my users:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/17/2008
Time:            3:44:48 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SBS
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      (i'm not showing you that!)
       Domain:            (i'm not showing you that!)
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      SBS
       Caller User Name:      SBS$
       Caller Domain:      (i'm not showing you that!)
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      6012
       Transited Services:      -
       Source Network Address:
       Source Port:      50652

the user of course is contantly getting locked out and...   As fate would have it, this user is the president of the company....

Now stick with me for a bit while I will appear to go on an irrelevant tangent :)

He's got this fancy new lenovo thinkpad that automatically determines the best of 3 possible ways to connect to the internet (which he in turn uses to VPN into the office).  Those 3 ways are wired lan (in the office), WIFI (in the office), or broadband (like a cellphone) which works pretty much anywhere.  The Source IP of the 'offending' security log event belongs to sprint.  Sprint is his broadband provider.  He also has a cellphone that checks our exchange server (an IPhone of course) but I think that is on the ATT network.  He also has a desktop PC.  So he's got like 5 ways to check his email.  So anyway - long story short - I think it's the verizone broadband connection that is doing it since the source IP belongs to verizon.  ....  either that or some hacker using the verizon network in the washington DC area :)

I can't find any information about port 50652 and can't figure out why he keeps getting locked out even though I think it has something to do with his thinkpad's broadband internet.  

Can anyone help me understand more that what I already do?  What is port 50652?   What might I look further into?

Thanks Much,

Russ White
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Are there any stored usernames and passwords under the user account of one of his machines?
I have seen users store domain credentials and then when the password expires they get locked out because they were not updated.
Rob WilliamsCommented:
I agree with NJDEV1. It can often be due to something like Trend Micro antivirus having been set up with an admin account for updates. If the admin password has changed (not the users password) something like A/V will keep trying to get updates, and as a result keep trying to authenticate.

Don't rule out the possibility of a hacker if you have external access to RWW or TS. Is it SBS premium with ISA?
casco32Author Commented:
Thanks for your inputs.
It is not an expired password issue - i beat that possibility to death before posting.
It's something on his mobile broadbrand.  The IP address it's coming from is an IP that belongs to the Verizon Mobile IP pool so I do not think it is a hacker.  It stopped for two days and then started again this morning at 1:50 am while the user was asleep and his laptop was asleep :|  it has something to do with verizon's mobile broadband software.  I think i worked around this issue and I don't really expect this question to get answered.
Rob WilliamsCommented:
There must be a logon, mapped drive, service, or similar configured on that unit with a wrong or expired password that keeps trying to reconnect.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
casco32Author Commented:
I think the issue was someone trying to hack.  it has gone away.  awarding robwill as he posted the most.  thanks much.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.