Question : Logon failures 529 672 & 680

Hi experts

I have suddenly started having problems with security events and I can't tie the start of them down to any specific update or the like. I suppose this question is best broken down into two parts.

Yesterday there were 47 Failure Audits recorded between 16:00:05 & 16:11:42 involving attempted logins by the username Administrator, generating event ID's 529, 672 & 680. The Administrator account has been renamed from day 1 and here is an example of one type of log entry:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      672
Date:            07/06/2007
Time:            16:00:05
User:            NT AUTHORITY\SYSTEM
Computer:      AML-SERVER
Description:
Authentication Ticket Request:
     User Name:            Administrator
     Supplied Realm Name:      OURDOMAIN.LOCAL
     User ID:                  -
     Service Name:            krbtgt/OURDOMAIN.LOCAL
     Service ID:            -
     Ticket Options:            0x40810010
     Result Code:            0x6
     Ticket Encryption Type:      -
     Pre-Authentication Type:      -
     Client Address:            127.0.0.1
     Certificate Issuer Name:
     Certificate Serial Number:
     Certificate Thumbprint:

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
** That wasn't any help - it said that "There is no Failure Audit form of this audit event record" Hmmm.

I cannot see anything in application or system logs which could have caused this. Is there any way in which I can find out which program / process has used this login, please?
Another option is, could this be something more sinister? No infections have been found on the daily full virus scans across the network and we have a hardware firewall. The firewall did report that it had repelled several Smurf attacks exactly an hour earlier, purporting to originate from an address belonging to African Network Information Center and there is no evidence I have found to suggest that the firewall was breached.

In addition, I have started to get occasional event ID's 673, within the DHCP range reserved for vpn clients & also some LAN clients. The clocks seem to be in sync with the server and a success audit is registered at the next event. No failure event is recorded on the client, only the success.

Any ideas, please?

Answer : Logon failures 529 672 & 680

Please review my response in this question which should cover this issue for you: http:Q_22471975.html

Jeff
TechSoEasy

Random Solutions

Layer 2 VLAN extension throug WAN

Computer cannot access 1 particular website even after ipconfig /flushdns

Password Protected Folder Sharing Within Network

Netbios broadcast not working

Who is the best enterprise level wireless router vendor ?

SMTP 554 Client host rejected

Filter disabled users from LDAP search in Printer

Availble SIP Soft phones?

run ant script with different xml name

Intermittent lose of connection to a remote domain controller - remote domain controller Gateway IP address changes to Main Office gateway Address