When I start the Event Archiver/Event Alarm/Event Analyst Service, the account assigned to the service is locked out immediately, and log management operations cannot take place. Furthermore, a 680 Account Logon Failure event is recorded in the Security Event Log on my Domain Controller. I have verified that the account password is correct, and that the account has the "Logon as a Service" right. What's happening?
A lockout of the Event Archiver/Event Alarm/Event Analyst Service account can happen if the LAN Manager Authentication Level Security Option is not set the same for all Group Policy Objects in your domain. For instance, the GPO controlling Domain Controllers may have a LAN Manager Authentication Level of *Send NTLMv2 Response Only - Refuse LM and NTLM* and the GPO controlling Domain Member Servers may have a LAN Manager Authentication Level of *Send LM and NTLM responses.* In conclusion, mismatched LanMan authentication levels can cause logon failures leading to service account logon failures and lockouts. Standardize these authentication levels across organizational units to fix the issue.
Back to Knowledge Base Search