Microsoft Exchange Admin Discussions
 
Exchange Server 2003
(1)
Microsoft Exchange
(1)
MSExchangeSA
(1)
LocalSystem
(1)
UrsX
(1)
Kl6uf4919o52mdo88uofm8to9pm4cfadhv
(1)
Qk0tf49cir736909aeddnlp80epp17c6lf
(1)
Rootkit
(1)

MSExchangeSA locking domain administrator account

Asked By boxer
20-Oct-08 07:44 AM
Reply
Dear all,

I discovered that MsExchangeSa (mad.exe) for some reason tries to
authenticate as domain\administrator and effect is that our domain admin is
constantly locked.

In security log I have event id 529: (repeatedly 2 times every 5 Minutes)

Logon Failure:
Reason:  Unknown user name or bad password
User Name: Administrator
Logon Type: 7
Logon Process: Advapi
Authentication Package: Negotiate
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4248

PID 4248 belogs to mad.exe

I suppose that it tries to authenticate with bad password.

Currently we have this Exchange server 2003 with sp2 on DC which I know that
is not recommended configuration but because of some other things I am not
able to remove it at the moment.

Please help me how to solve this issue.

Do you have any other software installed on your exchange server?

Asked By
20-Oct-08 08:25 AM
Reply
Do you have any other software installed on your exchange server? may be
something like a shareware or a freeware.

M.

Is the service configured to log on using the administrator account?

Asked By Bharat Suneja [MSFT]
20-Oct-08 08:29 AM
Reply
Is the service configured to log on using the administrator account?
Exchange 2003 does not require a service account - it uses LocalSystem by
default.

Exchange Server 2003  -->  Understanding Windows Services Architecture
http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx
--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
------------------------------------------

Hi Barat,(MAD.

Asked By boxer
20-Oct-08 08:50 AM
Reply
Hi Barat,

(MAD.EXE) Microsoft Exchange System Attendant service is using Logon as
Local system account

Regards

Boxer
MSExchangeSA locking domain administrator account
Asked By Rich Matheisen [MVP]
20-Oct-08 07:16 PM
Reply
So change it to use "Local System account". There is no good reason why
it should be using some other account.
---
Rich Matheisen
MCSE+I, Exchange MVP
Hi Rich,but it is under "Local System account"So it is not problem in
Asked By boxer
21-Oct-08 02:53 AM
Reply
Hi  Rich,

but it is under "Local System account"

So it is not problem in this

Regards
MSExchangeSA locking domain administrator account
Asked By Rich Matheisen [MVP]
21-Oct-08 09:47 PM
Reply
A logon type of "7" is someone, or something, unlocking the console
after it's been locked by a screensaver.

Not sure why mad.exe would be doing that unless there's something
really wrong. Malware? Virus? Rootkit?
---
Rich Matheisen
MCSE+I, Exchange MVP
MSExchangeSA locking domain administrator account
Asked By boxer
22-Oct-08 07:55 AM
Reply
Look this (this guy has similiar case)

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23741341.html

Exchange 2003 AD problem, MAD.exe, after changing admin passwords
Asked by UrsX in Exchange Email Server
Tags: Microsoft, Exchange, 2003 SP2
Hi everyone,
ever since we changed admin passwords (domain users administrator and
exchange admin), we have "strange" behaviour of Exchange. To be precise, it
is since the system-restart after changing the passwords. The problem may
also just be related to something else which took effect after the restart,
but I don't think so.
This is what we've got: every 5 Minutes 2 unsuccessful user logons (Security
event 529) by the domain administrator, Advapi, process 2560. 2560 stands
for MAD.exe.

_______________________________________________________

That's what I am talking about
There is no viruses or similiar threats, we have Sophos antivirus installed
and updated.

Regards
MSExchangeSA locking domain administrator account
Asked By Rich Matheisen [MVP]
22-Oct-08 08:21 AM
Reply
Okay -- so what was their fix for this?
---
Rich Matheisen
MCSE+I, Exchange MVP
I can not see the solution because it is not free.
Asked By boxer
23-Oct-08 10:58 AM
Reply
I can not see the solution because it is not free. You must pay some
dollars, entering credit card number etc . I do not wont to do that because
I do not pay with my credit card over the Internet ...

There is Free trial but you must enter credit card number... (silly them)

Regards
Previous Discussion:  Confused: Port 110 on Exchange Server
Post Question To EggHeadCafe