Logon type 3 is a network logon, so can't be a service or scheduled task as far as I am aware. Does the server run IIS?
2008/12/1 Alex Carroll <[EMAIL PROTECTED]> > I am having issues here. This has been going on for a while and is just > a rather large annoyance but I am starting to wonder if something more isn't > going on. An account (a domain admin) is getting locked out of our DC (SBS > 2003). It starts with a bunch of bad password attempts and then locks his > account out after it reaches the maximum bad password limit. This seems to > happen every hour and a half or so (between 1-2 hours). > > > > *Here is the 529 from our DC:* > > *Event Type: Failure Audit* > > *Event Source: Security* > > *Event Category: Logon/Logoff * > > *Event ID: 529* > > *Date: 12/1/2008* > > *Time: 2:44:23 PM* > > *User: NT AUTHORITY\SYSTEM* > > *Computer: CRAB03SVR* > > *Description:* > > *Logon Failure:* > > * Reason: Unknown user name or bad > password* > > * User Name: richc* > > * Domain: CRAB03SVR* > > * Logon Type: 3* > > * Logon Process: NtLmSsp * > > * Authentication Package: NTLM* > > * Workstation Name: CRAB03SVR-2* > > * Caller User Name: -* > > * Caller Domain: -* > > * Caller Logon ID: -* > > * Caller Process ID: -* > > * Transited Services: -* > > * Source Network Address: 192.168.200.205* > > * Source Port: 1379* > > * * > > * * > > *For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp.* > > > > Not a big deal right? Until I finally broke down and looked at the other > server that the errors were coming from. It states that they are coming > from the Administrator account. There are two events that happen > simultaneously. 1006 and 1030 both from USERENV. > > > > 1030: > > *Event Type: Error* > > *Event Source: Userenv* > > *Event Category: None* > > *Event ID: 1030* > > *Date: 12/1/2008* > > *Time: 2:44:23 PM* > > *User: CRABTREE\Administrator* > > *Computer: CRAB03SVR-2* > > *Description:* > > *Windows cannot query for the list of Group Policy objects. Check the > event log for possible messages previously logged by the policy engine that > describes the reason for this.* > > * * > > *For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp.* > > > > 1006: > > *Event Type: Error* > > *Event Source: Userenv* > > *Event Category: None* > > *Event ID: 1006* > > *Date: 12/1/2008* > > *Time: 2:44:23 PM* > > *User: CRABTREE\Administrator* > > *Computer: CRAB03SVR-2* > > *Description:* > > *Windows cannot bind to CRABTREE.LAN domain. (Invalid Credentials). Group > Policy processing aborted. * > > * * > > *For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp.* > > > > > > Any Ideas? > > > > > > Alex Carroll > > Software Support > > Crabtree Companies, Inc. > > 651-688-2727 > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
