Solved

Multiple logon failures Advapi Logon type 5

Posted on 2010-09-08
6
1,394 Views
Last Modified: 2012-05-10
Hello,  I have logon failures every minute in event viewer.  Logon type is 5, logon process advapi.  I traced the process id to services.exe.  I can't figure out which service is causing it. The username that it's using is a user's account on the domain.   I disabled FTP, sharepoint, and IIS services since they aren't being used anyway, and restarted the server.  Still no luck.  the Computer name is the server's name, but how can I trace which service is causing this?
0
Comment
Question by:seanrhudy
  • 3
  • 3
6 Comments
 
LVL 9

Expert Comment

by:khaledf
ID: 33637032
can you explain more where are you getting this event? in domain controler?
can you see from which machine you are getting the failed logon attempt from?
0
 

Author Comment

by:seanrhudy
ID: 33637395
I'm getting it on the domain controller, it's the only server.  It's coming from itself, the server.  It gives a process id of 416.  I used task manager and traced it to services.exe.  So it must be one of the services that is trying to authenticate but can't.  I checked all of the started services, and none of them are using this user account.  I'm not sure how to find out exactly which service is causing the issue.
0
 

Author Comment

by:seanrhudy
ID: 33643070
It's the lsass.exe process that is causing the failure login events.  Could it be an lsass virus?
0
Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

 
LVL 9

Expert Comment

by:khaledf
ID: 33648922
have you changed the admin password recently?
go to services and you can see what services are using credentials of admin or any other user.
0
 
LVL 9

Expert Comment

by:khaledf
ID: 33648941
can you also post event the details of the event log?
0
 

Accepted Solution

by:
seanrhudy earned 0 total points
ID: 33766818
This ended up being a rogue service that was trying to login.  
0

Featured Post

Is Your Active Directory as Secure as You Think?

More than 75% of all records are compromised because of the loss or theft of a privileged credential. Experts have been exploring Active Directory infrastructure to identify key threats and establish best practices for keeping data safe. Attend this month’s webinar to learn more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
If, like me, you have a lot of Dell servers in the estate you manage this article should save you a little time. When attempting to login to iDrac on any server I would be presented with two errors. The first reads "Do you want to run this applicati…
This Micro Tutorial will teach you how to censor certain areas of your screen. The example in this video will show a little boy's face being blurred. This will be demonstrated using Adobe Premiere Pro CS6.
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now