Netwrix Auditor for Logon Activity may report a large amount of failed logons from a single workstation or server.
Usually, this happens because the problematic account credentials were saved somewhere on the target machine and became outdated. If a user’s password had been changed but it was not updated in the system or application that had been using it, this systems/application will try to use the stored outdated credentials, therefore generating a large amount of failed logons.
Login to the originating machine and check the following systems for outdated credentials:
- Windows Сredential Manager – may store outdated credentials.
- Windows task scheduler – there could be a task configured to run using the problematic account.
- Application or service – there could be a service that is trying to start or a tool/application that is trying to run using outdated credentials.
- Terminal Server session – there could be an opened session with outdated credentials.
- AD Federation Services – replication issues – a new password was not replicated to ADFS.
- DCOM objects – sometimes a computer requires a restart after changing user password – to apply setting to DCOM objects that are using these credentials.
Enter valid account credentials.