07-01-2014 12:13 PM
We're seeing in the Event log that the ADSCrawler.exe process looks like it's trying to run using an account of a user that has left the company. In AD, the account is disabled. On our Clearwell machine the event shows:
<Begin>----------------------------------------------------------------------------
A logon was attempted using explicit credentials.
Subject:
Security ID: domain\service account
Account Name: Service account
Account Domain: Domain Name
Logon ID: 0x2e0ca
Logon GUID: {GUID}
Account Whose Credentials Were Used:
Account Name: <username of terminated user>
Account Domain:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: <Domain Controller
Additional Information: <Domain Controller>
Process Information:
Process ID: 0xab0
Process Name: PathToADSCrawler\ADSCrawler.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
<End>---------------------------------------------------------------------------
There are no scheduled tasks or batches that I can see that is using this account.
Is there a way to see if the ADSCrawler.exe process is configured to run as a specific account? What invokes this process. The Services MMC does not provide any info.
Thanks
07-01-2014 01:37 PM
Hello,
This may be a scheduled task on Clearwell in the interface, if you login under and go to System and jobs - change the filtering to all and the date range - you may see this is scheduled, you can then go ahead and remove it from the Clearwell interface.
Here is some more information on the above HOWTO93200
At the time of setting up the syncing, it may have been that the user used his/her account - take a look at the following HOWTO95201 - information under Active Directory Domain Discovery may be helpful.
Best of luck.