InstantForum.NET v4.1.4UltimateWindowsSecurity.com Forumhttp://forum.ultimatewindowssecurity.com/noreply@ultimatewindowssecurity.comThu, 17 May 2012 09:10:03 GMT20http://forum.ultimatewindowssecurity.com/Topic98-91-1.aspxHello and thanks again for responding, I sent a response to you directly by e-mail on Fri 6/12/09 1:39 PM, the e-mail contains a little more information than i'd like to post here but if we manage to figure this out i'd like to clean it up a little and post it so other people can find a solution to this.<br>Thanks again for all your help and i'm looking forward to the webinar on Wednesday!Mon, 22 Jun 2009 08:27:35 GMTDarqAngelshttp://forum.ultimatewindowssecurity.com/Topic98-91-1.aspxwaiting on reply to private messageWed, 10 Jun 2009 12:03:19 GMTRandyFranklinSmithhttp://forum.ultimatewindowssecurity.com/Topic98-91-1.aspxHello, <br>We have been experiencing an issue for sometime and it always comes back to this. We are using RSA enVision to track our logs and when I run a report against event ID 644 to see if we have failures for the day we always see a few hundred (in the morning) for administrator, by end of day its in the thousands.<br><br>However here is what the errors look like.<br><br>User Administrator<br>Device address: 172.x.x.x<br>Workstation: generally seems to be the same workstations lets call it MON0100<br>logon type = 0<br>Reason= blank<br>calling_address = blank<br>calling_username = DOM0100$ (DOM0100 is our primary domain controller)<br><br>so the strange thing i am seeing is that we get these messages several hundred to thousand times a day and the calling username changes to various domain controllers throughout the day. When the error is reported from a workstation on a diffrent forest it will be calling address from that domain controller.<br>Does anyone have any idea why this is happening?<br>Thank you soooooo much in advance for any help at all!<br>-Dan<br>Fri, 05 Jun 2009 09:42:45 GMTDarqAngels