Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Security Audit Log

Status
Not open for further replies.
murrayt

murrayt

Technical User
Mar 24, 2004
9
US
I have a WinXp SP3 machine that is showing failed login attempts in the security audit log file from various machines in a Windows domain. We have set several other machines up with the same security audit settings and they haven't displayed any failed login attempts. The AV on the machine in question is current and scans are clean. The login attempts from other machines seem to be coming from local accounts rather than domain accounts. Any ideas on where to start looking?
 
Sort by date Sort by votes
The login attempts from other machines seem to be coming from local accounts rather than domain accounts. Any ideas on where to start looking?
Click to expand...
PEBKAC? Users, attempting to log in and forgetting to use the DOMAIN name?

AV's will not stop external attempts to log on, for this purpose there exist software and hardware firewalls... jfyi...

Ben

"If it works don't fix it! If it doesn't use a sledgehammer..."

How to ask a question, when posting them to a professional forum.
 
Upvote 0 Downvote
Can you identify any of these codes from your Security Log?

Logon Failure Error Codes Legend:
Error Code Hexadecimal Cause
3221225572 C0000064 User logon with misspelled or bad user account
3221225578 C000006A User logon with misspelled or bad password
3221225581 C000006D User logon has incorrect user name
3221225583 C000006F User logon outside authorized hours
3221225584 C0000070 User logon from unauthorized workstation
3221225585 C0000071 User logon with expired password
3221225586 C0000072 User logon to account disabled by administrator
3221225875 C0000193 User logon with expired account
3221226020 C0000224 User logon with "Change Password at Next Logon" flagged
3221226036 C0000234 User logon with account locked
 
Upvote 0 Downvote
Look at one of the pc's trying to connect. See if there are any network connections trying to be established.

Such as Nethood \\machine\c$ or \\machine\share

Did this pc ever have a shared printer or file share?

Most people spend their time on the "urgent" rather than on the "important."
 
Upvote 0 Downvote
I have the building tech checking on the codes and will post when I hear back from him. (I'm only in that building one day a week on Mondays.)
As far as I know this machine has never had a file share or a shared printer.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DSaba10
  • Locked
  • Question
Creating a log of SFTP Uploads
Replies
0
Views
68
DSaba10
DSaba10
jlh1
  • Locked
  • Question
Baseline Security Analyzer
Replies
1
Views
68
DaveSolan
DaveSolan
goombawaho
  • Locked
  • Question
Microsoft Security Essentials Prompting To Install Updates
Replies
3
Views
97
mikrom
mikrom
Tom11
  • Locked
  • Question
Windows 8.1 Login Issue
Replies
10
Views
176
Edward Cramer
Edward Cramer
Leozack
  • Locked
  • Question
Filetypes being reset to Edge on user logon?
Replies
0
Views
54
Leozack
Leozack

Part and Inventory Search

Sponsor

Back
Top