R W
asked on
An account failed to log on (security monitoring)
We have this monitoring program called EIQ and it logs events like these. But I'm having a hard time understanding this. Does this say our Administrator account is the problem here? All of us fail sometimes at the first attempt to log into a system as the admin but I'm not sure why all of a sudden it is logging an event like this. I would think a failed admin account would show up more often in reports.
Raw Event: 10Hostwindows08/13/2015 10:14:14uid=domaincontroll er ip=10.2.2.5 hostname=domaincontroller ec=529 et=Failure Audit facility=security source=Security sev=failure npri=1 msg="Logon Failure: Reason: Unknown user name or bad password User Name: administrator Domain: WORKSTATIONID Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: WORSTATIONID Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 10.2.2.199 Source Port: 0 Caller Process Name: (null)" sip=10.2.2.199 sport=0 dip=10.2.2.5 user=administrator logondomain=WORKSTATIONID logonwrkst=WORKSTATIONID process=(null) domain=workstationid auth-method=NtLmSsp shortdesc=Logon Failure. Reason: Unknown user name or bad password. authtype=NTLM logontype=Network ecat=Authentication ecatsubcat=Logon ecatresult=Failure alertrule=Rule 1 node-group=managed
Raw Event: 10Hostwindows08/13/2015 10:14:14uid=domaincontroll
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
When the administrator password changes the services will fail to start until the password is updated again. Using an administrator account for running a service is insecure as you want to provide the least permissions required. Try setting up a service account with the necessary permissions.