Solved

Event ID 576 - Where is this account loggin on from?

Posted on 2009-05-05
9
1,377 Views
Last Modified: 2012-05-06
My organization has a user that left, and their account is continually logging on to one of our machines machines with a privledge use category.  This was a trusted person, and they are not in fact logging on any longer.  If we disable the account we get a slew of failure aduits in the security log.  We are trying to find out where the logon call is being initiated from so we can fix that and move on.  It apprears to be restarting the WMI perfomance adapter service.  

I have disabled SMS agents, checked for AT schedules, Windows Scheduler, and performance counters.  I cannot find anything... help!

0
Comment
Question by:Hay_Seed
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 100 total points
ID: 24309413
Have you checked your services in computer management on your server to see if any services (especially the "WMI Performance Adapter" and "Remote Procedure Call" services) have that user specified as the log on account (under the "Log On" tab)?
0
 
LVL 21

Accepted Solution

by:
Tapan Pattanaik earned 200 total points
ID: 24309417
0
 

Author Comment

by:Hay_Seed
ID: 24309475
Thanks for the links, however, I know how to disable the auditing, but im trying to locate the Root Cause of this event, so I can make changes and be able to disable this user account and not have to get a slew of failed audits.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 

Author Comment

by:Hay_Seed
ID: 24309507
Update,
I am getting Events 540, 576, 540 and 538 from this user.  just trying to find out whats causing it, so I can disable it.
0
 
LVL 21

Assisted Solution

by:Tapan Pattanaik
Tapan Pattanaik earned 200 total points
ID: 24309595
hi Hay_seed,

                    root cause of this issue:

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-07/msg02690.html
0
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 100 total points
ID: 24322279
I didn't see where you mentioned what happened when you checked the services on that computer to see if there were any services specifically running under that users' credentials.  Have you had a chance to check that?  To do so, simply open Computer Management, then expand "Services and Applicaions" > "Services".  Look in the "Log On As" column to see if that users' name is displayed anywhere in that column.  If so, you will have found the root cause of your issue.  Changing the log on account for that service should fix the problem.
0
 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 100 total points
ID: 24389661
A risky way of finding out would be to change the password and let it lock out, use the below tool to find the IP Address and find if there is a scheduled task/service running with the credentials.  Obviously if there is something important running you may want to do this out of hours or on a weekend to give yourself time to isolate it.

Practice on a test account first if you've not used it before ;)

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
0
 
LVL 4

Assisted Solution

by:KrisKaBob
KrisKaBob earned 100 total points
ID: 24552308
Is there a chance you have something like SQL installed on the host computer? Maybe thee is an Enterprise Manager with his credentials polling the server. I just turned off the polling on 2 instances of our enterprise manager that were doing that same thing every 10 seconds.

http://msdn.microsoft.com/en-us/library/aa198198.aspx
0
 

Author Closing Comment

by:Hay_Seed
ID: 31578238
thanks to all, I have still not figured this out, but, I am simply re-imaging the system.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Email missing from Outlook but still on Exchange server 6 83
PowerShell one liner to pull server names 3 59
ost file to pst 10 132
2003 File Server upgrade 11 62
Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now