A while back I began having problems with an administrative account in W2k3 that I used for things like running backups. I ended up having to delete the user and reset all the services that used the account. At least i thought I did….
Looking at my security events Im noticing failed logon events about once an hour referencing the deleted account. THeres actually about 40 failed logons logged every hour. The 40 events all have the same timestamp to the second. The events consist of event id 529, then 680, then 672 twice. This series repeats 4 times per hour. hope that makes sense.
So I guess basically my question is how can I find out whats trying to use the deleted account? I dont get any clues from the events, unless Im missing something? Any help or ideas would be appreciated…
