Hi There I got a Domain Admin recently left the job and his account was disabled. Since i disabled his account i keep getting Failure Audit Event Id 532 in Security event in number of webservers. All webservers are running on Win2003 and AD on Win2008. Event Id error on the Webserver: Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 532 Date: 7/10/2012 Time: 2:38:12 PM User: NT AUTHORITY\SYSTEM Computer: SERVERWEB2 Description: Logon Failure: Reason: The specified user account has expired User Name: Domain: Logon Type: 3 Logon Process: Authz Authentication Package: Kerberos Workstation Name: SERVERWEB2 Caller User Name: SERVERWEB2$ Caller Domain: DOMAINNAME Caller Logon ID: (0x0,0x3E7) Caller Process ID: 2532 Transited Services: - Source Network Address: - Source Port: - At the same time i get a DNS error in Netlogon.log on the same Webserver: 07/10 14:38:12 [SESSION] I_NetLogonGetAuthData called: (null) DOMAINNAME (Flags 0x1) 07/10 14:38:12 [MISC] DsGetDcName function called: Dom:DNS.DOMAIN.NAME Acct:(null) Flags: DS RET_DNS 07/10 14:38:12 [MISC] NetpDcGetName: DNS.DOMAIN.NAME using cached information 07/10 14:38:12 [MISC] DsGetDcName function returns 0: Dom:DOMAIN NAME Acct:(null) Flags: DS RET_DNS At the same time i get Audit Failure Event id 4769 in Security Event in the Active Directory: Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 7/10/2012 2:38:12 PM Event ID: 4769 Task Category: Kerberos Service Ticket Operations Level: Information Keywords: Audit Failure User: N/A Computer: ActiveDirectory2.DNS.DOMAIN.NAME Description: A Kerberos service ticket was requested. Account Information: Account Name: SERVERWEB2$@dns.domain.name Account Domain: DNS.DOMAIN.NAME Logon GUID: {00000000-0000-0000-0000-000000000000} Service Information: Service Name: host/serverweb2.dns.domain.name Service ID: NULL SID Network Information: Client Address: 192.168.101.11 Client Port: 1681 Additional Information: Ticket Options: 0x40810000 Ticket Encryption Type: 0xffffffff Failure Code: 0x12 Transited Services: - This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested. This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket. Ticket options, encryption types, and failure codes are defined in RFC 4120. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4769</EventID> <Version>0</Version> <Level>0</Level> <Task>14337</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-07-10T18:38:12.634632200Z" /> <EventRecordID>859551364</EventRecordID> <Correlation /> <Execution ProcessID="476" ThreadID="3252" /> <Channel>Security</Channel> <Computer>ActiveDirectory2.dns.domain.name</Computer> <Security /> </System> <EventData> <Data Name="TargetUserName">SERVERWEB2$@dns.domain.name</Data> <Data Name="TargetDomainName">dns.domain.name</Data> <Data Name="ServiceName">host/serverweb2.dns.domain.name</Data> <Data Name="ServiceSid">S-1-0-0</Data> <Data Name="TicketOptions">0x40810000</Data> <Data Name="TicketEncryptionType">0xffffffff</Data> <Data Name="IpAddress">192.168.101.11</Data> <Data Name="IpPort">1681</Data> <Data Name="Status">0x12</Data> <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data> <Data Name="TransmittedServices">-</Data> </EventData> </Event> What i did till now: 1. If i enable the User account of the ex-employee all this logs are cleared. 2. Removed and rejoined the server from the domian, still i got issues. 3. If i disable WMI service on the Webserver all the logs disappear. Any ideas to fix the issue. Sarath

Hi, Why not remove all jobs for non-active directory owners? This shoule be work for you. Regards, Yan LiYan Li TechNet Community Support

Hi, Why not remove all jobs for non-active directory owners? This shoule be work for you. Regards, Yan LiYan Li TechNet Community Support

Hi Yan Li We don't have any jobs running with AD accounts but his guy how left the job has created all this jobs to run with Local Admin account. Thanks, Sarath

1- Solution from Microsoft: on On the affected server Go to windows\system32\wbem folder and rename scm.mof (backup current scm.mof) 2- Open scm.mof file go to end of the text file and add CreatorSid = {1, 1, 0, 0, 0, 0, 0, 5, 18, 0, 0, 0}; as shown below instance of NTEventLogEventConsumer { Name = "SCM Event Log Consumer"; SourceName = "Service Control Manager"; EventType = 1; Category = 0; NameOfUserSIDProperty = "sid"; CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0}; }; ///////////////////////////////////////////////////////////////////////////// // SCM Event Log filter instance of __EventFilter { Name = "SCM Event Log Filter"; QueryLanguage = "WQL"; Query = "select * from MSFT_SCMEventLogEvent"; EventNamespace = "root\\cimv2"; CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0}; }; ///////////////////////////////////////////////////////////////////////////// // SCM Event Log filter-to-consumer binding instance of __FilterToConsumerBinding { Consumer = "NTEventLogEventConsumer.Name=\"SCM Event Log Consumer\""; Filter = "__EventFilter.Name=\"SCM Event Log Filter\""; CreatorSid = {1,1,0,0,0,0,0,5,18,0,0,0}; }; 3- Logon on as the (Local administrator) Administrator of the machine 4- Run AT command to create a system command prompt at time /interactive cmd.exe 5- Open the command prompt opens up change directory to c:\windows\system32\wbem 6- Run the following command to re-compile the new scm mof file mofcomp scm.mof 7- Once finish reboot the server