|
|
|
Forum Member
 
Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26,
Visits: 12
|
|
Randy,
I'm seeing the following events:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: computername$
Account Domain: Domainname
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0
Something to worry about, or noise?
Thx,
Jeff
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Jeff, this is just noise. I see it all the time
|
|
|
|
|
Forum Member
Group: Forum Members
Last Login: 2/24/2012 7:49:27 PM
Posts: 26,
Visits: 12
|
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 3/21/2011 4:28:13 PM
Posts: 2,
Visits: 4
|
|
Hi!
I have a similar issue. I have lots of kerebros related failed logons, and I'm aware that it's not an issue. However lately I got some weird events with "administrator" as an user and I have no clue what's causing it. This event is logged once every ~30 minutes (even at night) with different ports. I'd appreciate any help.
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 3/18/2011 10:38:42 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: myserver.mydomain.local
Description:
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: Administrator
Account Domain: MyDomain
Failure Information:
Failure Reason: An Error occured during Logon.
Status: 0xc000006d
Sub Status: 0x0
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: MyServer
Source Network Address: 192.168.1.2
Source Port: 33385
Detailed Authentication Information:
Logon Process:
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| 1. What kind of computer is the source address? workstation/another server or what? 2. it would be a lot of work but you could enable firewall auditing on the source computer and then try correlate these events with the connection events on the source computer to see which program on the source computer is opening the connection. 3. If this weren't for the user being "administrator" i would just ignore because when you google "0xc000006d Substatus 0x0" you get a myriad of network connection problems
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 3/21/2011 4:28:13 PM
Posts: 2,
Visits: 4
|
|
Thank you for the reply.
Source is the same server which logs the event. I guess that means that firewall monitoring is not an option. I'd happily ignore the logs, but the "administrator" is bothering me as well.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| Can you try renaming the Administrator account to something else like NewAdmin? Then see if that changes what gets logged? It may cause different, more informative events to be logged.
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 7/4/2011 5:31:12 PM
Posts: 1,
Visits: 0
|
|
| Hi I am having the same exact problem with my virtual center. the audit code 4625 keeps coming up with administrator. is there alarm for this? also I am getting 4776 on the same machine for administrator as well. any help would be appreciated.
|
|
|
|
|
Expert
Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 326,
Visits: 0
|
|
| 0xc000006d seems to be caused by system problems and not security related. The fact you are getting 4776 too is not surprising if it is a domain account and the computer is a domain controller or if it is a local account and the computer is a member server or workstation. 4626 is a logon event. 4776 is an authentication event.
|
|