Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Security Events after changing admin password on Windows Server

Posted on 2014-01-20
5
Medium Priority
?
520 Views
Last Modified: 2014-03-20
Any idea how I might be able to track down what is trying to log on as administrator and creating security events (see below) - this has started to occur since I changed my admin password.  I have checked services, backup and Task Scheduler.

Here are the details -

User Name   Administrator
Client IP Address   127.0.0.1
Client Host Name   UKHARINF01.<domain~>
Domain Controller   UKHARINF01.<domain~>
Logon Time   Jan 20,2014 09:43:28 AM
Event Type   Failure
Failure Reason   Bad password
Domain   krbtgt/<domain~>
Remarks   Kerberos pre-authentication failed.
Logon Service   krbtgt/<domain~>
SID   %{S-1-5-21-3277633608-390278033-2812492099-500}
Event Number   4771
Event Code   16
Failure Code   0x18
Record Number   94545929

security: failure - 2014/01/20 12:13:15 - Microsoft-Windows-Security-Auditing (4771) - n/a
 "Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-3277633608-390278033-2812492099-500
 Account Name: Administrator Service Information:
 Service Name: krbtgt/<domain~> Network Information: Client Address: ::1
 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Failure Code:
 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer
 Name: Certificate Serial Number: Certificate Thumbprint: Certificate information
 is only provided if a certificate was used for pre-authentication. Pre-authentication
 types, ticket options and failure codes are defined in RFC 4120. If the
 ticket was malformed or damaged during transit and could not be decrypted, then
 many fields in this event might not be present."
0
Comment
Question by:fuzzyfreak
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 23

Expert Comment

by:Patrick Bogers
ID: 39793962
HI

Maybe there is a (console)session active in which the administrator is logged on (with old password)
Could also be a backup thing, open your backup program and check which user runs the job.

If it isnt any of these reboot the machine, all open sessions/services will log in again using correct credentials.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39794472
Thanks, I will investigate some more.
0
 
LVL 4

Author Comment

by:fuzzyfreak
ID: 39811738
Still cannot trace this - any further ideas?
0
 
LVL 4

Accepted Solution

by:
fuzzyfreak earned 0 total points
ID: 39841629
No thanks to Expert Exchange!  I finally discovered it to be DNS.  Forgive the bitterness but what has happened to EE over the years?  Why the huge lack of attention and assistance on questions?  Have people gone elsewhere?
0
 
LVL 4

Author Closing Comment

by:fuzzyfreak
ID: 39941754
Resolved myself.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes drives fill up and we don't know why.  If you don't understand the best way to use the tools available, you may end up being stumped as to why your drive says it's not full when you have no space left!  Here's how you can find out...
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This tutorial will give a an overview on how to deploy remote agents in Backup Exec 2012 to new servers. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as connecting to a remote Back…
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…

670 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question