Solved

Event ID 576 - Where is this account loggin on from?

Posted on 2009-05-05
9
1,389 Views
Last Modified: 2012-05-06
My organization has a user that left, and their account is continually logging on to one of our machines machines with a privledge use category.  This was a trusted person, and they are not in fact logging on any longer.  If we disable the account we get a slew of failure aduits in the security log.  We are trying to find out where the logon call is being initiated from so we can fix that and move on.  It apprears to be restarting the WMI perfomance adapter service.  

I have disabled SMS agents, checked for AT schedules, Windows Scheduler, and performance counters.  I cannot find anything... help!

0
Comment
Question by:Hay_Seed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 100 total points
ID: 24309413
Have you checked your services in computer management on your server to see if any services (especially the "WMI Performance Adapter" and "Remote Procedure Call" services) have that user specified as the log on account (under the "Log On" tab)?
0
 
LVL 21

Accepted Solution

by:
Tapan Pattanaik earned 200 total points
ID: 24309417
0
 

Author Comment

by:Hay_Seed
ID: 24309475
Thanks for the links, however, I know how to disable the auditing, but im trying to locate the Root Cause of this event, so I can make changes and be able to disable this user account and not have to get a slew of failed audits.
0
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.

 

Author Comment

by:Hay_Seed
ID: 24309507
Update,
I am getting Events 540, 576, 540 and 538 from this user.  just trying to find out whats causing it, so I can disable it.
0
 
LVL 21

Assisted Solution

by:Tapan Pattanaik
Tapan Pattanaik earned 200 total points
ID: 24309595
hi Hay_seed,

                    root cause of this issue:

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-07/msg02690.html
0
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 100 total points
ID: 24322279
I didn't see where you mentioned what happened when you checked the services on that computer to see if there were any services specifically running under that users' credentials.  Have you had a chance to check that?  To do so, simply open Computer Management, then expand "Services and Applicaions" > "Services".  Look in the "Log On As" column to see if that users' name is displayed anywhere in that column.  If so, you will have found the root cause of your issue.  Changing the log on account for that service should fix the problem.
0
 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 100 total points
ID: 24389661
A risky way of finding out would be to change the password and let it lock out, use the below tool to find the IP Address and find if there is a scheduled task/service running with the credentials.  Obviously if there is something important running you may want to do this out of hours or on a weekend to give yourself time to isolate it.

Practice on a test account first if you've not used it before ;)

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
0
 
LVL 4

Assisted Solution

by:KrisKaBob
KrisKaBob earned 100 total points
ID: 24552308
Is there a chance you have something like SQL installed on the host computer? Maybe thee is an Enterprise Manager with his credentials polling the server. I just turned off the polling on 2 instances of our enterprise manager that were doing that same thing every 10 seconds.

http://msdn.microsoft.com/en-us/library/aa198198.aspx
0
 

Author Closing Comment

by:Hay_Seed
ID: 31578238
thanks to all, I have still not figured this out, but, I am simply re-imaging the system.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
The password reset disk is often mentioned as the best solution to deal with the lost Windows password problem. In Windows 2008, 7, Vista and XP, a password reset disk can be easily created. But besides Windows 7/Vista/XP, Windows Server 2008 and ot…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question