Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
There were password errors using the Credential Manager. To remedy launch the Stored User Names and Passwords control panel applet and reenter the password for the credential <username>.
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is Kerberos?
In my case, Windows XP SP2 was getting application event IDs 4226, 40961, 40960 for one end user only. The user was able to logon to the domain but the domain account would then get locked out right away. The user was also unable to map drives and access domain resources once the account was unlocked. The user stated this all happened when it was time for him to change his domain password. (Windows 2003 Domain) The user's domain account was not a privileged account on the workstation.
Based on info in this link and others, we checked the "User Accounts" in Control Panel and found one entry for his domain account. We removed the entry and rebooted with no luck. We removed the workstation from the domain and re-joined but still, no results. Added the end user to the local Administrators group, reboot and logged back in to the domain. Went back to "User Accounts" in Control Panel and there was another entry for his domain account. Highlighted his account name and then clicked on the Advanced Tab and then click on "Managed Passwords" and found all kinds of line entries for server paths and such. Removed them all and then removed his account name. Rebooted the workstation and he was able to log in to the domain and access domain resources once again.
The key was adding the user's domain account to the local administrators group to see the remaining entry for his "Manage Passwords" entries.
Microsoft has several good articles on how to manage stored user names and passwords depending on whether or not your system is part of a domain. For WinXP systems bound to a domain, see ME306992. For WinXP systems not part of a domain, see ME306541.
See the link to "How to launch Stored User Names and Passwords applet" for a command used to launch Stored User Names and Passwords applet.
Rob's comments about client credentials disappearing were very helpful in pointing me in the right direction to solve this issue. Instead of deleting and re-adding the computer & account, etc. from the domain, I just temporarily gave the client administrative privileges and I was able to find the stored user name info when I logged in as the user (It did not show up when I was logged in any other way; even with admin privileges). Once I found and deleted the stored credentials, I removed admin privileges and was able to log in normally without the authentication problems.
A user suddenly could not connect to shared/mapped drives on the DC although he could log onto the DC with no problem, and could access shares on the NT4 member servers. The DC was also the Exchange server (SBS2k). The user was prompted to fill in user details every time he opened Outlook. On the server EventID 675 from source Security started to show up. On the PC EventID 1030 from source Userenv, EventID 1006 from source Userenv and EventID 40961 from source LsaSrv appeared. The user could log into other PCs fine and other users could be added to the problem PC and access drives fine. I thought this was because of stored password credentials, however there was nothing listed under “Manage Passwords” (see EventID 1006 from source Userenv, comments by Tristen and Sean). Then, I removed the PC from the domain, I deleted the account and cleared the DNS/DHCP entries. I rejoined the domain and this event appeared in the log. Looked back in “Manage Passwords” and there were passwords present now. I deleted those and the problem was resolved.
|Private comment: Subscribers only. See example of private comment|
|Links: ME306541, ME306992, EventID 675 from source Security, EventID 1030 from source Userenv, EventID 1006 from source Userenv, EventID 40961 from source LsaSrv, How to launch Stored User Names and Passwords applet|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
|Custom search for *****: Google - Bing - Microsoft - Yahoo|
Send comments or solutions
- Notify me when updated