PDA

View Full Version : Advapi is sending old account information to server



Rhys Wilson
22-08-2002, 01:29 PM
Here is a regular occurrence in the Security log of my XP pro machine.

The user name had originally had a blank password, and I had changed the password to the network, and since then I have been plagued by the following error.

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 22/08/02
Time: 12:03:00 p.m.
User: NT AUTHORITY\SYSTEM
Computer: RHYSQBS
Description:
Logon Failure:
Reason: Account locked out
User Name: Rhys
Domain: QANTEL
Logon Type: 4
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: RHYSQBS


The resulting fix for me was to abandon the 'Rhys' user name into my domain, and to create a new user name..

I have also removed from the offending xp machine the user account 'Rhys" and all references in 'Documents and settings' folder.

This process is still occuring after removal of the account.

Has anybody got any ideas on
a; What is causing this
b: How to fix it...

Thanks in advance

Graham L
28-08-2002, 04:20 PM
Just a thought: maybe someone noticed that the account had no password ( very naughty :8}) and has been trying to use it. The implications are clear ... :_|

Xaker
05-01-2005, 06:09 AM
This might be quite old, but I have been looking to the solution to this problem. And, I believe that I have just found out one of the problem/solution. I am running a Windows 2003 Server (Standard) and using IIS for a Intranet Web site. My user account has been locked out about everyday by the server krbtgt or Advapi service.

In... Services and Applications, Internet Information Services, Web Sites, (Default Internet Site), [Properties], Directory Security, Authentication and access control, [Edit]

Even though I have had the "enable anonymous access" unchecked, it seems that IIS via Advapi has tried to logon to possibly check the account. I changed this to Guest and had my same logon errors appear as I did with the last account used here. I am still double-checking that I don't have it enabled anywhere. I have restored it to the default IUSR_(MachineName), and have yet to have a final check; however, this is internally controlled, so I may not have any further problems.

pheonix
05-01-2005, 11:20 AM
Date of original post... 2002
Date of reply............ 2005

Mmm, don't think he was waiting around this long for an answer, do you? :groan:

Prescott
05-01-2005, 01:19 PM
we need to get these threads that are over 2 years locked....... its getting out of hand