Security Events after changing admin password on Windows Server

Any idea how I might be able to track down what is trying to log on as administrator and creating security events (see below) - this has started to occur since I changed my admin password.  I have checked services, backup and Task Scheduler.

Here are the details -

User Name   Administrator
Client IP Address
Client Host Name   UKHARINF01.<domain~>
Domain Controller   UKHARINF01.<domain~>
Logon Time   Jan 20,2014 09:43:28 AM
Event Type   Failure
Failure Reason   Bad password
Domain   krbtgt/<domain~>
Remarks   Kerberos pre-authentication failed.
Logon Service   krbtgt/<domain~>
SID   %{S-1-5-21-3277633608-390278033-2812492099-500}
Event Number   4771
Event Code   16
Failure Code   0x18
Record Number   94545929

security: failure - 2014/01/20 12:13:15 - Microsoft-Windows-Security-Auditing (4771) - n/a
 "Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-3277633608-390278033-2812492099-500
 Account Name: Administrator Service Information:
 Service Name: krbtgt/<domain~> Network Information: Client Address: ::1
 Client Port: 0 Additional Information: Ticket Options: 0x40810010 Failure Code:
 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer
 Name: Certificate Serial Number: Certificate Thumbprint: Certificate information
 is only provided if a certificate was used for pre-authentication. Pre-authentication
 types, ticket options and failure codes are defined in RFC 4120. If the
 ticket was malformed or damaged during transit and could not be decrypted, then
 many fields in this event might not be present."
Who is Participating?
fuzzyfreakConnect With a Mentor Author Commented:
No thanks to Expert Exchange!  I finally discovered it to be DNS.  Forgive the bitterness but what has happened to EE over the years?  Why the huge lack of attention and assistance on questions?  Have people gone elsewhere?
Patrick BogersDatacenter platform engineer LindowsCommented:

Maybe there is a (console)session active in which the administrator is logged on (with old password)
Could also be a backup thing, open your backup program and check which user runs the job.

If it isnt any of these reboot the machine, all open sessions/services will log in again using correct credentials.
fuzzyfreakAuthor Commented:
Thanks, I will investigate some more.
fuzzyfreakAuthor Commented:
Still cannot trace this - any further ideas?
fuzzyfreakAuthor Commented:
Resolved myself.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.