# Audit Failure - Server



## IT-Barry (Sep 6, 2010)

> An account failed to log on.
> 
> Subject:
> Security ID: NULL SID
> ...





> Provider
> 
> [ Name] Microsoft-Windows-Security-Auditing
> [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
> ...


Theres multiple processes using 696, my query is how do you check into threadids?

These errors happen on the hour every hour multiple times.
Happens 8 in a row on the same time 16:00:01
Then it happens for 4 attempts 16:01:02 

This is reoccuring every hour.
Recently made changes to the admin password, I have checked all services but have been unable to find anything.

I have no idea why the accountname @ is being used also.


----------



## Wand3r3r (Sep 17, 2010)

google is your friend and your main way of trouble shooting errors.

nul sid means the user account wasn't found in the system 
someone tried to logon from Workstation Name: RHS-EX01 around 4pm

what is RHS-EX01? who is on that workstation?

If it wasn't someone trying to logon to the network from that station is could be an account being used as a service on that machine that no longer exists in the domain.


----------



## IT-Barry (Sep 6, 2010)

RHS-EX01 is the exchange server which is a virtual 2008 r2 server, no one uses it bar us, and we arent logging into it every hour and the networks tied down so no external rdp can get to it.

Why would the accountname say "@"? we've never had an account with the login of @

Or is @ the way of saying the account no longer exists?

I will double check the services on both servers.


----------



## Dave Atkin (Sep 4, 2009)

Hi Barry,

I don't know if this will help you at all:
Windows Security Log Event ID 4625

It gives some more information on the error. I imagine the '@' is because its not giving a username or password. Has it always done this or just started doing it?


Dave


----------

