I have recently found a user that is being locked out-what seems about every hour. i used the eventcombs and accountlockout status to determine where and what.
today I found on one of my 2003 servers this user was locked out with a 644 code after getting three of these;
events 675 three times.
User Name: user1
User ID: domain\user1
Service Name: krbtgt/domain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1
I have been reading alot of entries about services and scheduled tasks - which there are none at this point for this user. in addition- I am confused by the "client address" this is comming from.
looking at the event log closed- authentication for this user is being initiated by "stystem".
not sure where to go for this now....suggestions comments.