Announcement

Collapse
No announcement yet.

renamed user account, original name showing failed logon

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • renamed user account, original name showing failed logon

    I renamed an account used for updating our antivirus solution aduc. This acct is used in the av update policy and has a read access acl to the definition files on the local server. I changed the av policy account to the renamed account and made sure the acl account was changed.

    Now for some reason Im getting security failure audits on the server hosting the av solution, not the domain controller. Its showing the older user name before it was renamed.

    event id: 529, user: NT Authority\System, reason: unknown user name or bad password, user name: SrvcMgmt, logon type: 4, logon process: Advapi, caller user name: servername$

    event id: 529, user: NT Authority\System, reason: unknown user name or bad password, user name: SrvcMgmt, logon type: 4, logon process: DCOMSCM, caller user name: servername$

    The av updating policy is working correctly with the renamed account, any ideas why the older user name is showing trying to logon?

    Both servers are 2003.

    Thanks in advance and let me know if more info is needed.

  • #2
    Re: renamed user account, original name showing failed logon

    I'm only guessing but I would make sure the entries are correct for the services and restart them. Something hasn't been changed somewhere.
    What AV is it?
    cheers
    Andy

    Please read this before you post:


    Quis custodiet ipsos custodes?

    Comment


    • #3
      Re: renamed user account, original name showing failed logon

      Sophos Enterprise Endpoint Security

      I just check the services as you noted, but they all seem to be using the local system and local service accounts. There was no showing of the older user name SrvcMgmt.

      Thanks for the help Andy.

      Comment


      • #4
        Re: renamed user account, original name showing failed logon

        Originally posted by hops33n View Post
        I renamed an account used for updating our antivirus solution aduc. This acct is used in the av update policy and has a read access acl to the definition files on the local server. I changed the av policy account to the renamed account and made sure the acl account was changed.

        Now for some reason Im getting security failure audits on the server hosting the av solution, not the domain controller. Its showing the older user name before it was renamed.

        event id: 529, user: NT Authority\System, reason: unknown user name or bad password, user name: SrvcMgmt, logon type: 4, logon process: Advapi, caller user name: servername$

        event id: 529, user: NT Authority\System, reason: unknown user name or bad password, user name: SrvcMgmt, logon type: 4, logon process: DCOMSCM, caller user name: servername$

        The av updating policy is working correctly with the renamed account, any ideas why the older user name is showing trying to logon?

        Both servers are 2003.

        Thanks in advance and let me know if more info is needed.
        Check if any services that the AV service is dependent on uses the changed account

        Comment


        • #5
          Re: renamed user account, original name showing failed logon

          Might be worth restarting them anyway, just in case they are calling it somehow. I haven't used Sophos for a long time so not sure on the settings inside it but can you give us a rough idea where you changed it and if you restarted anything after?

          Do the clients connect using a specific account ?
          cheers
          Andy

          Please read this before you post:


          Quis custodiet ipsos custodes?

          Comment


          • #6
            Re: renamed user account, original name showing failed logon

            Originally posted by hops33n View Post
            Sophos Enterprise Endpoint Security

            I just check the services as you noted, but they all seem to be using the local system and local service accounts. There was no showing of the older user name SrvcMgmt.

            Thanks for the help Andy.
            If i'm not mistaken sophos does use an domain account in order to push AV updates across the net, localsystem account's don't have network acces

            Comment


            • #7
              Re: renamed user account, original name showing failed logon

              Sophos does use a domain acct to read the definition files off the server. In aduc on the domain controller, I created the account SrvcMgmt then several weeks later renamed to SophosUpdater. The account has an acl on the definition directory on the av server which auto renamed. Then on the sophos central console, which is one the av server, I changed the client updating policy from SrvcMgmt to SophosUpdater. The clients user the nci.local\SophosUpdater account to read the updated definition files on the server. The Sophos services should have been all restarted, I have restarted the server several times in the past days. Just to be safe, when theres some downtime I'll do another restart. Would it be something local on the av server since the failed logons arent showing on the dc event log? Thanks again for the help.

              Comment


              • #8
                Re: renamed user account, original name showing failed logon

                Just a thought, would it make any difference if I deleted the account in aduc and recreated it?

                Comment


                • #9
                  Re: renamed user account, original name showing failed logon

                  If you did you would have to make sure it had the same privileges as the original account and you could be in the same boat. Is there anywhere in the config to supply an account for the client machines as well?
                  Personally, because I don't know the software, I would be tempted to give Sophos a quick call.
                  cheers
                  Andy

                  Please read this before you post:


                  Quis custodiet ipsos custodes?

                  Comment

                  Working...
                  X