-
July 7th, 2004, 06:23 PM
#11
Originally posted here by mrg81
I did that, Every service that I clicked on said local system account.
MRG.
Okay well let us know what the event viewer is reporting for failed login attempts for that user.
Are there any holes in your firewall that would allow someone/something to attempt to login
from elsewhere in the world?
VPN access?
Terminal Services?
VNC or similar remote access services like PC Anywhere?
-
July 7th, 2004, 06:26 PM
#12
The following is reported by event viewer:
windows was unable to determine the user or the computer error code (1326), there are no terminal services, VPN access or anr remote access services.
MRG.
-
July 7th, 2004, 06:30 PM
#13
Could be someone trying to access the pc via shares or root share using her credentials?
Your network admins don't care? fking morons, I would be all over that PC and your dept.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
July 7th, 2004, 07:01 PM
#14
No one is trying to do that. accessing pc via shares or root share using her credentials.
-
July 7th, 2004, 07:17 PM
#15
Originally posted here by mrg81
No one is trying to do that. accessing pc via shares or root share using her credentials.
I'm not quite sure what type of help you are trying to get here.
Many of us have been quite helpful with information and you don't seem to be doing much
legwork on your end.
Its very difficult to spoonfeed you exact solutions from afar.
Your replies to information requests had been very limited.
Posting the exact syntax of an event from your event viewer could be helpful.
For instance:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 7/7/2004
Time: 12:18:24 PM
User: NT AUTHORITY\SYSTEM
Computer: Authorizing Servername
Description:
Authentication Ticket Request Failed:
User Name: someuser
Supplied Realm Name: domainname
Service Name: krbtgt/domainame
Ticket Options: 0x40810010
Failure Code: 0x17
Client Address: IP Address of node attempting to login
Do you see entries like this or other similar entries in the security event log?
Make sure you are viewing a log of either an AD Server or the machine taking authentication requests on your LAN. The users workstation won't hurt either.
-
July 7th, 2004, 07:51 PM
#16
its kinda stupid, but pc is at domain, right?
when user try to login, can you see domain name list on domain box?
other domain users can login on this computer? (regular users)
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
-
July 7th, 2004, 07:51 PM
#17
I am sorry if I didn't post proper reply, I did viwe the logb of ad sever, there is nothing in security, The only message that I see is in the application part of event viewer on the employees machine who is having the problem,
The error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/7/2004
Time: 12:18:24 PM
User: NT AUTHORITY\SYSTEM
Computer: Authorizing Servername
Description:
Windows cannot determine the user or computer name(1316)
Thanks,
MRG.
-
July 7th, 2004, 08:06 PM
#18
Originally posted here by mrg81
I am sorry if I didn't post proper reply, I did viwe the logb of ad sever, there is nothing in security, The only message that I see is in the application part of event viewer on the employees machine who is having the problem,
The error:
Event Type: Error
Event Source: Userenv
Event Category: None
Event ID: 1000
Date: 7/7/2004
Time: 12:18:24 PM
User: NT AUTHORITY\SYSTEM
Computer: Authorizing Servername
Description:
Windows cannot determine the user or computer name(1316)
Thanks,
MRG.
No need to be sorry....
My post is just an FYI...
Well let's turn on logging 1st.
On an AD server, goto domain security policy snap in
goto the local policies / audit policies section
enable at least failure on the audit account logon events section
review your security logs for any failed attempts
see if that nets you any info.
-
July 8th, 2004, 11:56 AM
#19
We get this alot. It happens when a user account is logged onto more than one machine and the password expires.
UserA is logged on MachineA and MachineB. When the password expires they'll change it on machineA but are still logged on MachineB (with the 'old' credentials). Make sure she's logged out on *all* machines before she changes her password.
You can verify this by enabling auditting on failed logon attempts (set this in the domain policy). Then check the security eventlogs of the DCs.
Auditting should have been turned on anyway if you care about the security of your network. Eventhough MS is bashing us with their Trustworthy Computing initiative auditting is still turned off by default. How trustworthy is that?!?
Oliver's Law:
Experience is something you don't get until just after you need it.
-
July 8th, 2004, 01:10 PM
#20
if SirDice is correct, please (please please please) stop with that shared userid. This is the worst idea ever
Meu sítio
FORMAT C: Yes ...Yes??? ...Nooooo!!! ^C ^C ^C ^C ^C
If I die before I sleep, I pray the Lord my soul to encrypt. If I die before I wake, I pray the Lord my soul to brake.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|