My domain currently has both 2003 and 2008 running.
Recently I have a user whose account is getting locked out.
I see no failed login attempts prior to the account lockout on any of the domain controllers. I do however see some 675 events with failure code 0x19 for the same user and these seem to occur 20 minutes before the acount lockout occurs and they occur with a source ip address of the users system which is having their domain account lock out.
The 2008 server is reporting that an account lockout occured with event 4740
The pice i'm struggling with is the caller computer name is always something like JCIFS233_45_58 or JCIFS233_44_DD
These jcifs* systems are not computers on my networks. These names have no dhcp leases, dns entries and they are not . It looks like this may be some sort of java cifs client but we don't run any such applications.
How do i track down where these jcifs* computer names are coming from?
Here are my event details
A user account was locked out.
Security ID: SYSTEM
Account Name: DC2008$
Account Domain: CROSSBEAMSYS
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: DOMAINNAME\username
Account Name: username
Caller Computer Name: JCIFS233_44_DD