Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Event ID 576 - Where is this account loggin on from?

Posted on 2009-05-05
9
Medium Priority
?
1,403 Views
Last Modified: 2012-05-06
My organization has a user that left, and their account is continually logging on to one of our machines machines with a privledge use category.  This was a trusted person, and they are not in fact logging on any longer.  If we disable the account we get a slew of failure aduits in the security log.  We are trying to find out where the logon call is being initiated from so we can fix that and move on.  It apprears to be restarting the WMI perfomance adapter service.  

I have disabled SMS agents, checked for AT schedules, Windows Scheduler, and performance counters.  I cannot find anything... help!

0
Comment
Question by:Hay_Seed
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 400 total points
ID: 24309413
Have you checked your services in computer management on your server to see if any services (especially the "WMI Performance Adapter" and "Remote Procedure Call" services) have that user specified as the log on account (under the "Log On" tab)?
0
 
LVL 21

Accepted Solution

by:
Tapan Pattanaik earned 800 total points
ID: 24309417
0
 

Author Comment

by:Hay_Seed
ID: 24309475
Thanks for the links, however, I know how to disable the auditing, but im trying to locate the Root Cause of this event, so I can make changes and be able to disable this user account and not have to get a slew of failed audits.
0
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks

 

Author Comment

by:Hay_Seed
ID: 24309507
Update,
I am getting Events 540, 576, 540 and 538 from this user.  just trying to find out whats causing it, so I can disable it.
0
 
LVL 21

Assisted Solution

by:Tapan Pattanaik
Tapan Pattanaik earned 800 total points
ID: 24309595
hi Hay_seed,

                    root cause of this issue:

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-07/msg02690.html
0
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 400 total points
ID: 24322279
I didn't see where you mentioned what happened when you checked the services on that computer to see if there were any services specifically running under that users' credentials.  Have you had a chance to check that?  To do so, simply open Computer Management, then expand "Services and Applicaions" > "Services".  Look in the "Log On As" column to see if that users' name is displayed anywhere in that column.  If so, you will have found the root cause of your issue.  Changing the log on account for that service should fix the problem.
0
 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 400 total points
ID: 24389661
A risky way of finding out would be to change the password and let it lock out, use the below tool to find the IP Address and find if there is a scheduled task/service running with the credentials.  Obviously if there is something important running you may want to do this out of hours or on a weekend to give yourself time to isolate it.

Practice on a test account first if you've not used it before ;)

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
0
 
LVL 4

Assisted Solution

by:KrisKaBob
KrisKaBob earned 400 total points
ID: 24552308
Is there a chance you have something like SQL installed on the host computer? Maybe thee is an Enterprise Manager with his credentials polling the server. I just turned off the polling on 2 instances of our enterprise manager that were doing that same thing every 10 seconds.

http://msdn.microsoft.com/en-us/library/aa198198.aspx
0
 

Author Closing Comment

by:Hay_Seed
ID: 31578238
thanks to all, I have still not figured this out, but, I am simply re-imaging the system.
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question