cancel
Showing results for 
Search instead for 
Did you mean: 

ADSCrawler.exe process invoked by terminated user

206Ray
Level 2

We're seeing in the Event log that the ADSCrawler.exe process looks like it's trying to run using an account of a user that has left the company. In AD, the account is disabled. On our Clearwell machine the event shows:

<Begin>----------------------------------------------------------------------------

A logon was attempted using explicit credentials.

Subject:

Security ID: domain\service account

Account Name: Service account

Account Domain: Domain Name

Logon ID: 0x2e0ca

Logon GUID: {GUID}

Account Whose Credentials Were Used:

Account Name: <username of terminated user>

Account Domain:

Logon GUID: {00000000-0000-0000-0000-000000000000}

Target Server:

Target Server Name: <Domain Controller

Additional Information: <Domain Controller>

Process Information:

Process ID: 0xab0

Process Name: PathToADSCrawler\ADSCrawler.exe

Network Information:

Network Address: -

Port: -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

<End>---------------------------------------------------------------------------

There are no scheduled tasks or batches that I can see that is using this account.

Is there a way to see if the ADSCrawler.exe process is configured to run as a specific account? What invokes this process. The Services MMC does  not provide any info.

Thanks

1 REPLY 1

Daly
Level 5
Partner Employee Accredited Certified

Hello,

This may be a scheduled task on Clearwell in the interface, if you login under and go to System and jobs - change the filtering to all and the date range - you may see this is scheduled, you can then go ahead and remove it from the Clearwell interface.

Here is some more information on the above HOWTO93200

At the time of setting up the syncing, it may have been that the user used his/her account - take a look at the following HOWTO95201 - information under Active Directory Domain Discovery may be helpful.

Best of luck.