Caller Machine Name: blank

[ashpp]

Hi,

I have set auditing on the DCs, and most events are logged fine. However, some audit event 644s are coming back with a blank caller machine name.
e.g.

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 01/09/2008
Time: 3:27:31 PM
User: NT AUTHORITY\SYSTEM
Computer: VMKDC1
Description:
User Account Locked Out:
Target Account Name: ASHPP
Target Account ID: %{S-1-5-21-xxxxxxxxx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx)
Caller Machine Name:
Caller User Name: VMKDC1$
Caller Domain: PROD
Caller Logon ID: (0x0,0x3E7)

Does anybody know what kind of resolution Windows is using to work out the Caller Machine Name?

Thanks, Ash.

 

[PScottC]

When I see this behavior the caller is typically the local machine. Since this isn't coming from the network, the name is blank.

Which makes sense for this event: User lockout
[URL unfurl="true"]http://technet.microsoft.com/en-us/library/cc737542.aspx[/url]



PSC

Governments and corporations need people like you and me. We are samurai. The keyboard cowboys. And all those other people out there who have no idea what's going on are the cattle. Mooo! --Mr. The Plague, from the movie "Hackers