Recently I found that few of our servers were throwing SECURITY AUDIT FAILURE after reset password reset for all sharepoint service accounts.
Trying to google I could not get a way to determine the exact reason why it was showing up, I knew that there was a sharepoint service account used somewhere which wasnt supplied the new password but how do I know that there was performance point, there was docave there was Antivirus and everything else.
But its really easy to detect the cause of the issue.
you will see the Event ID listed as.
=============================================
Logon Failure
Reason: Unknown user name or bad password
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6
Windows Server 2003 adds these fields:
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID:-
Transited Services:-
Source Network Address:10.42.42.180
Source Port:0
=========================================
notice the latest Event ID
now make a note of the Process ID in the error
now go to task manager and Processes TAB
click on View menu and Select Columns PID
Match the culprit PID with the running process
vola !!! you have your guilty process.
In my case it was docave I just went in the Manager console and changed the password of service account used.
That stopped the event ID from appearing up.
if you get this event audit failure for local accounts then follow the KB http://support.microsoft.com/kb/811082
No comments:
Post a Comment