[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Sharepoint 2007 Scheduler task using bad login

Posted on 2011-05-09
14
Medium Priority
?
313 Views
Last Modified: 2012-05-11
Hi, on the security logs on my DC, have a logon failure, this is an admin login that I disabled.

I found some stuff ( scheduling ) written with his access, clear all the stuff .

but one still remain, I susspect Sharepoint to be responsible for the bad login but not sure where to look, I know the task is running every day at 5pm using the disable login.

it come from the central administration server.

in the log, the autentication package is ntlm ( NTLM is configure in sharepoint )

I look at the timer job definition, but unable to look for a job running at 5pm with the specific login.

where can I look ?

thanks
0
Comment
Question by:altzar
  • 8
  • 6
14 Comments
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35728199
sharepoint accounts are normally the services for 2007

so for first stage goto your administrative tools > services and see if you have any services that is using this particular login.

next we can verify other items.
0
 
LVL 1

Author Comment

by:altzar
ID: 35729036
in the services, the account is not use.

I also check the scheduler, still this account is not use.

that's why I was looking for a process inside sharepoint.

in sharepoint, I check all account configure, still did not find it.

the only thing I am sure, the account is use every 5pm on my sharepoint server ( on the central administration )

thanks
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35729205
also check the IIS application pools

also check SharePoint SharedServices accounts.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:altzar
ID: 35729366
thanks, found a IIS application pool with the user .

I will change it and confirm if it solve the problem.

because, beside the user , there is no indication that it is running at 5pm.

thanks a lot, I will update the ticket tomorow if everything is running OK
0
 
LVL 1

Author Comment

by:altzar
ID: 35737540
no change, the account is still trying to login...  :(
0
 
LVL 1

Author Comment

by:altzar
ID: 35737671
I found in the Policy for Web Application 4 accounts define, one of them is the account that is disable, what does those account is use for ?  do you thinks it could be it ?

I cannot find a relation with a job running at 5pm.

but the display name is the same for 3 of the account....  does the jobs use those login in rotation ?
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35738187
the question is where is the login coming from
is it on the same machine , or from a remote machine ?
0
 
LVL 1

Author Comment

by:altzar
ID: 35738626
in the eventlog of my DC ( security ), the failing login is on the IP of my sharepoint.
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35738756
can you check the same event on the SharePoint server it would show the Client .
0
 
LVL 1

Author Comment

by:altzar
ID: 35750280
on the sharepoint server, in security, I don't see it
0
 
LVL 14

Expert Comment

by:GeorgeGergues
ID: 35750375
why do you think this is coming from the SharePoint server ?

That could be a scheduled job coming from any server/workstation on the network


Best way to do track this is to check the DC security logs when this happens about where the auth request is coming from.


0
 
LVL 1

Author Comment

by:altzar
ID: 35750952
that's why I'm saying is comming from the sharepoint server, in the security log of the DC, the IP of the machine is the IP of my sharepoint server.

the Windows scheduler is clean ( I check it )

So I assume it is something in Sharepoint since nothing else is on this server.
0
 
LVL 14

Accepted Solution

by:
GeorgeGergues earned 2000 total points
ID: 35751670
Here are the areas that sharePoint or WSS would have accounts ( windows Identiy)

- IIS Application pools
- Windows Services.
- SharePoint Shared Services service  ID.
- Profile Sync ID ( under shared services Profile import).

Other than that I am not aware of any other locations.

Let me know if that helps.
0
 
LVL 1

Author Comment

by:altzar
ID: 35751885
thanks, will check it tomorow
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A while back, I ran into a situation where I was trying to use the calculated columns feature in SharePoint 2013 to do some simple math using values in two lists. Between certain data types not being accessible, and also with trying to make a one to…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question