Local user account attempting domain logon Expand / Collapse
Posted 8/19/2015 1:09:27 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 8/19/2015 1:00:31 PM
Posts: 1, Visits: 1
I have a strange instance of event 4625 being generated that I can't explain.

A member server of an Active Directory domain has a local user account which is being used to run a service for an application. The domain controllers are full of 4625 events recording failed logons. What I can understand is why a service running under the context of a local user on a member server would attempt to authenticate against a domain controller??

Here is the obfuscated log details:

SourceName=Microsoft Windows security auditing.
Keywords=Audit Failure
Message=An account failed to log on.

Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: local_user
Account Domain: MemberServer

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc0000064

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: MemberServer
Source Network Address:
Source Port: 54831

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0

Any thoughts?

Post #4826
Posted 8/23/2015 8:14:19 PM
Supreme Being

Supreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme BeingSupreme Being

Group: Moderators
Last Login: 11/14/2013 3:17:47 PM
Posts: 237, Visits: 0
I believe that domain users can be assigned local administrator rights to a machine. Could this be the case?
Post #4837
« Prev Topic | Next Topic »

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 9:21am