Solved

Event ID 576 - Where is this account loggin on from?

Posted on 2009-05-05
9
1,369 Views
Last Modified: 2012-05-06
My organization has a user that left, and their account is continually logging on to one of our machines machines with a privledge use category.  This was a trusted person, and they are not in fact logging on any longer.  If we disable the account we get a slew of failure aduits in the security log.  We are trying to find out where the logon call is being initiated from so we can fix that and move on.  It apprears to be restarting the WMI perfomance adapter service.  

I have disabled SMS agents, checked for AT schedules, Windows Scheduler, and performance counters.  I cannot find anything... help!

0
Comment
Question by:Hay_Seed
  • 3
  • 2
  • 2
  • +2
9 Comments
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 100 total points
ID: 24309413
Have you checked your services in computer management on your server to see if any services (especially the "WMI Performance Adapter" and "Remote Procedure Call" services) have that user specified as the log on account (under the "Log On" tab)?
0
 
LVL 21

Accepted Solution

by:
Tapan Pattanaik earned 200 total points
ID: 24309417
0
 

Author Comment

by:Hay_Seed
ID: 24309475
Thanks for the links, however, I know how to disable the auditing, but im trying to locate the Root Cause of this event, so I can make changes and be able to disable this user account and not have to get a slew of failed audits.
0
 

Author Comment

by:Hay_Seed
ID: 24309507
Update,
I am getting Events 540, 576, 540 and 538 from this user.  just trying to find out whats causing it, so I can disable it.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 21

Assisted Solution

by:Tapan Pattanaik
Tapan Pattanaik earned 200 total points
ID: 24309595
hi Hay_seed,

                    root cause of this issue:

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-07/msg02690.html
0
 
LVL 3

Assisted Solution

by:btrivett
btrivett earned 100 total points
ID: 24322279
I didn't see where you mentioned what happened when you checked the services on that computer to see if there were any services specifically running under that users' credentials.  Have you had a chance to check that?  To do so, simply open Computer Management, then expand "Services and Applicaions" > "Services".  Look in the "Log On As" column to see if that users' name is displayed anywhere in that column.  If so, you will have found the root cause of your issue.  Changing the log on account for that service should fix the problem.
0
 
LVL 15

Assisted Solution

by:Rob Stone
Rob Stone earned 100 total points
ID: 24389661
A risky way of finding out would be to change the password and let it lock out, use the below tool to find the IP Address and find if there is a scheduled task/service running with the credentials.  Obviously if there is something important running you may want to do this out of hours or on a weekend to give yourself time to isolate it.

Practice on a test account first if you've not used it before ;)

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
0
 
LVL 4

Assisted Solution

by:KrisKaBob
KrisKaBob earned 100 total points
ID: 24552308
Is there a chance you have something like SQL installed on the host computer? Maybe thee is an Enterprise Manager with his credentials polling the server. I just turned off the polling on 2 instances of our enterprise manager that were doing that same thing every 10 seconds.

http://msdn.microsoft.com/en-us/library/aa198198.aspx
0
 

Author Closing Comment

by:Hay_Seed
ID: 31578238
thanks to all, I have still not figured this out, but, I am simply re-imaging the system.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Join & Write a Comment

Many admins will agree: WSUS is is a nice invention but using it on the client side when updating a newly installed computer is still time consuming as you have to do several reboots and furthermore, the procedure of installing updates, rebooting an…
Learn about cloud computing and its benefits for small business owners.
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now