Our network security guy called me about an event error found on our
windows domain controller which also doubles as our iseries file server
(qntc).
Here is the error.
AV - Alert - "1608147140" --> RID: "18116"; RL: "9"; RG:
"windows,authentication_failures,"; RC: "User account locked out
(multiple login errors)."; USER: "(no user)"; SRCIP: "None"; HOSTNAME:
"(Host-x-x-x-x) x.x.x.x->WinEvtLog"; LOCATION: "(Host-x-x-x-x)
x.x.x.x->WinEvtLog"; EVENT: "[INIT]2020 Dec 16 14:32:17 WinEvtLog:
Security: AUDIT_SUCCESS(4740): Microsoft-Windows-Security-Auditing: (no
user): no domain: xxx.xxx.com: 0x8000000000000000 message: A user
account was locked out. Subject: Security ID: S-1-5-18 Account Name:
NT5$ Account Domain: X_DOMAIN Logon ID: 0x3e7 Account That Was Locked
Out: Security ID: S-1-5-21-1175146227-807941459-751859383-501 Account
Name: Guest Additional Information: Caller Computer Name: XXX [END]";
The part that is confusing to us is the "no user". How can the iseries
access a windows server with no user?
Any thought as to what might trigger this event?
This mailing list archive is Copyright 1997-2024 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact
[javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
