We're seeing in the Event log that the ADSCrawler.exe process looks like it's trying to run using an account of a user that has left the company. In AD, the account is disabled. On our Clearwell machine the event shows:
<Begin>----------------------------------------------------------------------------
A logon was attempted using explicit credentials.
Subject:
Security ID: domain\service account
Account Name: Service account
Account Domain: Domain Name
Logon ID: 0x2e0ca
Logon GUID: {GUID}
Account Whose Credentials Were Used:
Account Name: <username of terminated user>
Account Domain:
Logon GUID: {00000000-0000-0000-0000-000000000000}
Target Server:
Target Server Name: <Domain Controller
Additional Information: <Domain Controller>
Process Information:
Process ID: 0xab0
Process Name: PathToADSCrawler\ADSCrawler.exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
<End>---------------------------------------------------------------------------
There are no scheduled tasks or batches that I can see that is using this account.
Is there a way to see if the ADSCrawler.exe process is configured to run as a specific account? What invokes this process. The Services MMC does not provide any info.
Thanks
