Alex,
I would go back to CRAB03SVR-2 and try to find the process that is running about every 90 minutes. Could it be a GPO refresh and the computer password is out of sync? Did richc setup any processes to check CRAB03SVR or any other networked computer that they would need to authenticate to CRAB03SVR to connect to that they are running from CRAB03SVR-2. Take your next pass guess at the time you think the alert will happen again and setup some monitoring. You can use filemon, "netstat –o". I would guess there will be some network connection to CRAB03SVR from CRAB03SVR-2. "netstat –o" will show the process ID which you can then use to see the process in task manager. This of course can be cumbersome if there are a lot of network connections to begin with from CRAB03SVR-2. Once you run the monitor and if you think you caught a change or a new process running check the logs and see if an event was generated and bingo you have the process. Some thoughts, a log parser, file sync/replication. Anything that is automated from CRAB03SVR-2. If not you can try these.... http://support.microsoft.com/kb/811082 http://www.tech-archive.net/Archive/Windows/microsoft.public.windows.server.sbs/2008-05/msg01841.html On Tue, Dec 2, 2008 at 11:03 AM, Alex Carroll <[EMAIL PROTECTED]> wrote: > Removing the anonymous log-in from the virtual directory I found using > his username did not fix the issue. Anything else I should check in IIS? Or > any other ideas? > > > > Alex Carroll > > Software Support > > Crabtree Companies, Inc. > > 651-688-2727 > > > ------------------------------ > > *From:* James Rankin [mailto:[EMAIL PROTECTED] > *Sent:* Tuesday, December 02, 2008 8:24 AM > *To:* NT System Admin Issues > *Subject:* Re: Userenv 1006, 1030 Domain issues > > > > > > Logon type 3 is a network logon, so can't be a service or scheduled task > as far as I am aware. Does the server run IIS? > > 2008/12/1 Alex Carroll <[EMAIL PROTECTED]> > > I am having issues here. This has been going on for a while and is just a > rather large annoyance but I am starting to wonder if something more isn't > going on. An account (a domain admin) is getting locked out of our DC (SBS > 2003). It starts with a bunch of bad password attempts and then locks his > account out after it reaches the maximum bad password limit. This seems to > happen every hour and a half or so (between 1-2 hours). > > > > *Here is the 529 from our DC:* > > *Event Type: Failure Audit* > > *Event Source: Security* > > *Event Category: Logon/Logoff * > > *Event ID: 529* > > *Date: 12/1/2008* > > *Time: 2:44:23 PM* > > *User: NT AUTHORITY\SYSTEM* > > *Computer: CRAB03SVR* > > *Description:* > > *Logon Failure:* > > * Reason: Unknown user name or bad > password* > > * User Name: richc* > > * Domain: CRAB03SVR* > > * Logon Type: 3* > > * Logon Process: NtLmSsp * > > * Authentication Package: NTLM* > > * Workstation Name: CRAB03SVR-2* > > * Caller User Name: -* > > * Caller Domain: -* > > * Caller Logon ID: -* > > * Caller Process ID: -* > > * Transited Services: -* > > * Source Network Address: 192.168.200.205* > > * Source Port: 1379* > > * * > > * * > > *For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp.* > > > > Not a big deal right? Until I finally broke down and looked at the other > server that the errors were coming from. It states that they are coming > from the Administrator account. There are two events that happen > simultaneously. 1006 and 1030 both from USERENV. > > > > 1030: > > *Event Type: Error* > > *Event Source: Userenv* > > *Event Category: None* > > *Event ID: 1030* > > *Date: 12/1/2008* > > *Time: 2:44:23 PM* > > *User: CRABTREE\Administrator* > > *Computer: CRAB03SVR-2* > > *Description:* > > *Windows cannot query for the list of Group Policy objects. Check the > event log for possible messages previously logged by the policy engine that > describes the reason for this.* > > * * > > *For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp.* > > > > 1006: > > *Event Type: Error* > > *Event Source: Userenv* > > *Event Category: None* > > *Event ID: 1006* > > *Date: 12/1/2008* > > *Time: 2:44:23 PM* > > *User: CRABTREE\Administrator* > > *Computer: CRAB03SVR-2* > > *Description:* > > *Windows cannot bind to CRABTREE.LAN domain. (Invalid Credentials). Group > Policy processing aborted. * > > * * > > *For more information, see Help and Support Center at > http://go.microsoft.com/fwlink/events.asp.* > > > > > > Any Ideas? > > > > > > Alex Carroll > > Software Support > > Crabtree Companies, Inc. > > 651-688-2727 > > > > > > > > > > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
