Claire, Turn on API logging for a few minutes and capture some cases where the user Demo shows up.
The API log will give you the client type of the client. If it is one of the components of the system from BMC or from some partner or your own developers who have set the client type, that will tell you what type of thing the access is from. If it says client-type of 0, that means it is probably a custom written API program. The API log also will give you the IP address of where the call came from. Now, if you have a complex environment with firewalls that rewrite IP addresses, that may or may not help, but in many environments, it is the IP address of the source machine of the API call. That will tell you where to look for your caller. If the caller is a browser session, the IP address will be of the mid-tier rather than the actual browser, but if it is the mid-tier, it will tell you it is an interactive user logging in as Demo -- just not where from. This is at least a good starting point to work from. Good luck finding your rogue Demo users.... Doug Mueller -----Original Message----- From: Action Request System discussion list(ARSList) [mailto:[email protected]] On Behalf Of Sanford, Claire Sent: Wednesday, December 19, 2012 11:26 AM To: [email protected] Subject: Remedy ITSM - Demo gone wild! When our system was installed, Demo had no password since that is the default. I reset the Demo password in the User form. Demo keeps trying to log into the system and of course the blank password fails. Is there anywhere I can look to see where "Demo" has been put as the admin user? Something is using Demo and failing. 12176 times in the last 20 days. ITSM 7.6.04 SP2 ARS 7.6.04 SP3 Oracle 11.2.0.3.0 - 64bit Production Win 2008 Server Claire Sanford Information Systems Division Memorial Hermann Healthcare System [email protected] _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years" _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org "Where the Answers Are, and have been for 20 years"
