How often??? We had an issue that some people tried to pass off and say it was our teams fault and when I finally had time to dig into the issue it turned out those same people change some settings in the antivirus policy and had it using the local administrator account instead of the domain account to access a network share.
Point to be had is there a pattern with these logs. Knowing the pattern may help to find out what process runs that often. From: Alex Carroll [mailto:[EMAIL PROTECTED] Sent: Monday, December 01, 2008 5:29 PM To: NT System Admin Issues Subject: Userenv 1006, 1030 Domain issues I am having issues here. This has been going on for a while and is just a rather large annoyance but I am starting to wonder if something more isn't going on. An account (a domain admin) is getting locked out of our DC (SBS 2003). It starts with a bunch of bad password attempts and then locks his account out after it reaches the maximum bad password limit. This seems to happen every hour and a half or so (between 1-2 hours). Here is the 529 from our DC: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 12/1/2008 Time: 2:44:23 PM User: NT AUTHORITY\SYSTEM Computer: CRAB03SVR Description: Logon Failure: Reason: Unknown user name or bad password User Name: richc Domain: CRAB03SVR Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: CRAB03SVR-2 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.200.205 Source Port: 1379 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Not a big deal right? Until I finally broke down and looked at the other server that the errors were coming from. It states that they are coming from the Administrator account. There are two events that happen simultaneously. 1006 and 1030 both from USERENV. 1030: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1030 Date: 12/1/2008 Time: 2:44:23 PM User: CRABTREE\Administrator Computer: CRAB03SVR-2 Description: Windows cannot query for the list of Group Policy objects. Check the event log for possible messages previously logged by the policy engine that describes the reason for this. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. 1006: Event Type: Error Event Source: Userenv Event Category: None Event ID: 1006 Date: 12/1/2008 Time: 2:44:23 PM User: CRABTREE\Administrator Computer: CRAB03SVR-2 Description: Windows cannot bind to CRABTREE.LAN domain. (Invalid Credentials). Group Policy processing aborted. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Any Ideas? Alex Carroll Software Support Crabtree Companies, Inc. 651-688-2727 ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~