I have a file server running MS Windows Storage Server 2008r2. In reviewing the log files I found that the computer account was being denied access, to what I was unsure. In the investigation to this I found a posting about how to track down the actual process that actually trigger the authentication request. Using process monitor I was able to determine that the access denied is coming searchindexer.exe when trying to access "\\FQDN\PIPE\srvsvc". Stopping the windows search stops event log entries, but leaves the fileserver in a semi-functional state because users can no longer use windows search on their redirected "My Documents Folder". I'm not sure if this is a configuration problem with Windows Search or a local GPO.
Any advice would be appreciated.
This is the recurring event viewer entry:
An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: BRUT$ Account Domain: AGSMAD Failure Information: Failure Reason: An Error occured during Logon. Status: 0xc000006d Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: BRUT Source Network Address: 138.23.197.71 Source Port: 51900 Detailed Authentication Information: Logon Process: Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
Here is a screenshot of the Process Monitor.