Hello Experts,
Please help me with my case.
My domain account is getting locked frequently (every 15 mins it receives a bad password from some process).
Here below you will find the event information from the server which is sending the bad password.
For simplicity sake i replaced my username and system name as ABC and XYZ respectively.
<Event xmlns=>
- <System><Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12544</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2014-09-23T14:30:00.187792500Z" /> <EventRecordID>7587683</EventRecordID> <Correlation /> <Execution ProcessID="524" ThreadID="3144" /> <Channel>Security</Channel> <Computer>XYZ</Computer> <Security /> </System>
- <EventData><Data Name="SubjectUserSid">S-1-5-18</Data> <Data Name="SubjectUserName">XYZ$</Data> <Data Name="SubjectDomainName">EMEA</Data> <Data Name="SubjectLogonId">0x3e7</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">ABC</Data> <Data Name="TargetDomainName">EMEA</Data> <Data Name="Status">0xc000006d</Data> <Data Name="FailureReason">%%2313</Data> <Data Name="SubStatus">0xc000006a</Data> <Data Name="LogonType">4</Data> <Data Name="LogonProcessName">Advapi</Data> <Data Name="AuthenticationPackageName">Negotiate</Data> <Data Name="WorkstationName">XYZ</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x344</Data> <Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> </EventData></Event>
I checked all the scheduled tasks (looking into logon type 4) but couldn't find any task which is using my account to execute the job.
Thanks in advance for your help.
Regards,
Ravi.