Is it normal to have events generated with the hostname, i.e. "THISCOMPUTER$" with the dollar sign after it for failed logins? Eventcode "An account failed to log on", failure Reason is "Unknown user name or bad password" with account name "THISCOMPUTER$". Is this because of the SYSTEM account from this machine? The domain is populated with the true domain, so Account_Domain="THISDOMAIN", no suffix, with then the hostname of the machine.
I aggregate all of our security events, using this to track account failures for multiple purposes, and I've generally just ignored them as they were a low priority, possibly aesthetic issue, but I just need to know why this is occurring. Are the machines in this case missing some sort of delegation settings? Is there a true security issue or just a misconfigured item in our AD structure? Is it common that when mapping to another server, that if an account fails due to it being locked out or bad username/password, it also automatically attempts to use the system's auth privileges to attempt the action? Each day I see 10k-50k of these events... and just haven't been able to correlate them, and would love if someone could enlighten me. I have about 850 servers and 300 Desktops in this environment, limited users on any of my domains as this is for the operational portion of the company, so most users authenticate through a one-way trust, where their accounts exist in the corporate domain, though that is not very many users, maybe 200 total? I am assuming there is some sort of accross the board reason this occurs that I'm just not aware of, not MCSE, so I wouldn't be surprised if it was a very basic thing or even a given that you always have the computer account try and auth or something of that nature.
Thanks,