Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1407
  • Last Modified:

Event ID 576 - Where is this account loggin on from?

My organization has a user that left, and their account is continually logging on to one of our machines machines with a privledge use category.  This was a trusted person, and they are not in fact logging on any longer.  If we disable the account we get a slew of failure aduits in the security log.  We are trying to find out where the logon call is being initiated from so we can fix that and move on.  It apprears to be restarting the WMI perfomance adapter service.  

I have disabled SMS agents, checked for AT schedules, Windows Scheduler, and performance counters.  I cannot find anything... help!

0
Hay_Seed
Asked:
Hay_Seed
  • 3
  • 2
  • 2
  • +2
6 Solutions
 
btrivettCommented:
Have you checked your services in computer management on your server to see if any services (especially the "WMI Performance Adapter" and "Remote Procedure Call" services) have that user specified as the log on account (under the "Log On" tab)?
0
 
Hay_SeedAuthor Commented:
Thanks for the links, however, I know how to disable the auditing, but im trying to locate the Root Cause of this event, so I can make changes and be able to disable this user account and not have to get a slew of failed audits.
0
Get quick recovery of individual SharePoint items

Free tool – Veeam Explorer for Microsoft SharePoint, enables fast, easy restores of SharePoint sites, documents, libraries and lists — all with no agents to manage and no additional licenses to buy.

 
Hay_SeedAuthor Commented:
Update,
I am getting Events 540, 576, 540 and 538 from this user.  just trying to find out whats causing it, so I can disable it.
0
 
Tapan PattanaikSenior EngineerCommented:
hi Hay_seed,

                    root cause of this issue:

http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2007-07/msg02690.html
0
 
btrivettCommented:
I didn't see where you mentioned what happened when you checked the services on that computer to see if there were any services specifically running under that users' credentials.  Have you had a chance to check that?  To do so, simply open Computer Management, then expand "Services and Applicaions" > "Services".  Look in the "Log On As" column to see if that users' name is displayed anywhere in that column.  If so, you will have found the root cause of your issue.  Changing the log on account for that service should fix the problem.
0
 
Rob StoneCommented:
A risky way of finding out would be to change the password and let it lock out, use the below tool to find the IP Address and find if there is a scheduled task/service running with the credentials.  Obviously if there is something important running you may want to do this out of hours or on a weekend to give yourself time to isolate it.

Practice on a test account first if you've not used it before ;)

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
0
 
KrisKaBobCommented:
Is there a chance you have something like SQL installed on the host computer? Maybe thee is an Enterprise Manager with his credentials polling the server. I just turned off the polling on 2 instances of our enterprise manager that were doing that same thing every 10 seconds.

http://msdn.microsoft.com/en-us/library/aa198198.aspx
0
 
Hay_SeedAuthor Commented:
thanks to all, I have still not figured this out, but, I am simply re-imaging the system.
0

Featured Post

Fill in the form and get your FREE NFR key NOW!

Veeam is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now