Well it looks like it's not mapped drives. I checked the event log this morning and there were 4 failed attempts reported yesterday.
They happened at 11:06AM, 1:07PM, 3:07PM, and 5:08PM. One example is below.
Log Name : Security
Log Source : Security
Log EventID : 529
Log Time Generated : 9/8/2014 5:08:42 PM
Log Message : Logon Failure:
Reason:Unknown user name or bad password
User Name:Robin
Domain:RobinDELLLaptop
Logon Type:3
Logon Process:NtLmSsp
Authentication Package:NTLM
Workstation Name:ROBINDELLLAPTOP
Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID:-
Transited Services:-
Source Network Address:192.168.0.169
Source Port:57265
I found this in the security logs on the laptop, but there are no other entiries that are similiar at the 1:07, 3:07, or 5:08 times...which leads me to believe it's not related. It's also for a 3rd party exchange host and not our AD.
A logon was attempted using explicit credentials.
Subject:
Security ID:S-1-5-21-2089813806-174608388-3232790742-1000
Account Name:Robin
Account Domain:RobinDELLLaptop
Logon ID:0x9abcf
Logon GUID:{00000000-0000-0000-0000-000000000000}
Account Whose Credentials Were Used:
Account Name:REDACTED
Account Domain:RobinDELLLaptop
Logon GUID:{00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name:EXCH001SV2.NA01.msexchangeoutlook.com
Additional Information:EXCH001SV2.NA01.msexchangeoutlook.com
Process Information:
Process ID:0x19f0
Process Name:C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
Network Information:
Network Address:-
Port:-
This event is generated when a process attempts to log on an account by explicitly specifying that account?s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
I checked the application, system, and other logs...but there's absolutely nothing around those times. I also checked the Labtech command history around these times...but only two commands ran on 9/8, which is scanning services. The only script that ran at one of the times was a monitor restart service. It ran at 11:25, but not the other times. This doesn't really seem to suggest a script is causing the issue. Labtech doesn't have the credentials for the "Robin" account anyway.
Any other thoughts or suggestions? Every 2 hours makes it appear that maybe it's a scheduled script of some sort?
Statistics: Posted by Katty — Wed Sep 10, 2014 9:59 am