Event viewer domain

[shilpaa]

Hello,

We are trying to find out how an account got locked on one of our servers. This is what we are finding in event viewer:

Logon Failure:
Reason: Unknown user name or bad password
User Name: scoreadm
Domain: REH-AS-025
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: REH-AS-025
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 172.20.10.138
Source Port: 0

Can some body please explain what each term means - like Logon Type, Domian, Logon Process etc?

Thanks

 

[hang-the-9]

Well, domain is the domain the user it trying to logon to, which looks to be the local computer unless you are using that name for the domain also.

Logon Type is explained as
Logon Type 3 – Network

Windows logs logon type 3 in most cases when you access a computer from elsewhere on the network. One of the most common sources of logon events with logon type 3 is connections to shared folders or printers. But other over-the-network logons are classed as logon type 3 as well such as most logons to IIS. (The exception is basic authentication which is explained in Logon Type 8 below.)

From the Logon Type I'm guessing that the user has a saved password in her account profile, the network password changed, and each time the user uses that resource with the saved password, it locks out the account. Rename the user's local profile, have them try again.