Windows 2003 Security Log – Event ID 672

POSTED IN blog | TAGS : event id, windows 2003
15.05.2009

Event ID 672 / Result Code 0×12 = Check user log on times in Active Directory

Almost had a slight panic at work today when I noticed some strange entries on the security logs on a domain controller. My first thought was someone trying to hack a user account outside of normal working hours. The security logs were showing multiple incorrect login entries for the same user hundreds of times a minute starting at 20:00 in the evening and eventually filling the whole log file by 22:00.

The log contained an event id number 672. After ruling out a virus (ruling out = hoping it wasn’t) or a hacker attempt, it finally clicked that it may have something to do with logon time restrictions. A quick look in Active Directory and it was confirmed that the user was not permitted to logon between 22:00 and 07:00 (this was not a default policy for our users on the domain).

Log Entry:

Authentication Ticket Request:
User Name: joe.bloggs
Supplied Realm Name: yourdomain.nnn.com
User ID: -
Service Name: krbtgt/yourdomain.nnn.com
Service ID: -
Ticket Options: 0×40810010
Result Code: 0×12
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 10.0.0.1
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint: