I would greatly appreciate any help you can give on this. My Log & Event Manager is going crazy with "UserLogonFailure" errors being generated because the NPM is trying to access our other servers using the previous Systems Administrators credentials. Here's my question: Where do I even begin to find out where these credentials are being store so I can change them? Here's the entire log (I replaced the name of our college with x's): Event FieldInformationEvent NameUserLogonFailureEventInfoLogon Failure "Academic\admindtyner"InsertionIPTR-SVRAC-DC1.Academic.xxxxxxx.eduManagertr-svr-lem1DetectionIPTR-SVRAC-DC1.Academicxxxxxxx.eduInsertionTime14:36:02 Thu Dec 15 2016DetectionTime14:36:02 Thu Dec 15 2016Severity4ToolAliasVista SecurityInferenceRuleProviderSIDMicrosoft-Windows-Security-Auditing 4625ExtraneousInfoSourceAccount-SourceDomain-SourceLogonID0x0DestinationAccountadmindtynerDestinationDomainAcademicDestinationLogonIDDestinationAccountTypeSourceMachine10.70.2.66DestinationMachineTR-SVRAC-DC1.Academic.xxxxxxx.eduPrivilegesExercisedLogonProcessNtLmSspAuthPackageNTLMLogonTypeWindows: NetworkFailureReasonAccount currently disabled.FailureCount1IsThreatfalse

Community
- Command Central
- MVP Program
- Monthly Mission
- Blogs
- Groups
- Events
- Media Vault
Products
- Observability
- Network Management
- Application Management
- IT Security
- IT Service Management
- System Management
- Database Management
Content Exchange
- SolarWinds Platform
- Server & Application Monitor
- Database Performance Analyzer
- Server Configuration Monitor
- Network Performance Monitor
- Network Configuration Manager
- SQL Sentry
- Web Help Desk
Free Tools & Trials
Store

Newbie Looking for Help with "UserLogonFailure"

I would greatly appreciate any help you can give on this.

My Log & Event Manager is going crazy with "UserLogonFailure" errors being generated because the NPM is trying to access our other servers using the previous Systems Administrators credentials. Here's my question: Where do I even begin to find out where these credentials are being store so I can change them?

Here's the entire log (I replaced the name of our college with x's):

Event Field	Information
Event Name	UserLogonFailure
EventInfo	Logon Failure "Academic\admindtyner"
InsertionIP	TR-SVRAC-DC1.Academic.xxxxxxx.edu
Manager	tr-svr-lem1
DetectionIP	TR-SVRAC-DC1.Academicxxxxxxx.edu
InsertionTime	14:36:02 Thu Dec 15 2016
DetectionTime	14:36:02 Thu Dec 15 2016
Severity	4
ToolAlias	Vista Security
InferenceRule
ProviderSID	Microsoft-Windows-Security-Auditing 4625
ExtraneousInfo
SourceAccount	-
SourceDomain	-
SourceLogonID	0x0
DestinationAccount	admindtyner
DestinationDomain	Academic
DestinationLogonID
DestinationAccountType
SourceMachine	10.70.2.66
DestinationMachine	TR-SVRAC-DC1.Academic.xxxxxxx.edu
PrivilegesExercised
LogonProcess	NtLmSsp
AuthPackage	NTLM
LogonType	Windows: Network
FailureReason	Account currently disabled.
FailureCount	1
IsThreat	false

Find more posts tagged with

Accepted answers

All comments

sean.martinez

On the Orion Web Console, go into Settings> Manage Windows Credentials. In there you will see all of the credentials used at the Node level. You can edit the credentials and replace them with another account.

aaroncampbell72

I found the offending account in "Manage Windows Credentials" and changed it to the correct current admin account, but LEM is still reporting UserLogonFailure with the old account I just changed, even after rebooting the server. Is there anything I'm missing? Note: LEM is reporting FAR fewer UserLogonFailure for the old account, but it IS still reporting them.

blsanner

Do you have any other Solarwinds modules, SAM especially? Each module can have it's own set of credentials. As an example, if you do have SAM, you may want to go to Settings --> SAM Settings --> Credentials Library and see if the account in question is in there.

aaroncampbell72

Your reply nudged me into looking at what other branches could have credentials stored in them. I found the offending account by going to Settings > All Settings > SAM Settings > Credentials Library. I updated the account and now my LEM is looking likes it's supposed to look. Thanks for all the help, everyone!