Failed login user Admin

  • I am currently doing server side auditing for failed logins on two of our SQL 2000 servers that have SOX audited databases. I create and review a report daily that shows any failed logins. My question is that in the reports I see failed logins for loginname 'Admin'. I am not sure where these are coming from, and tried to trace it back to the hostname. The only information I have found so far is that one user connects to a database on the server using MS access front end with a sql server login. On a day that his hostname showed up in the report with a failed login attempt by user 'Admin' he said that he couldn't remember getting a failed login and definitely never tries to login with 'Admin', so why is this showing up on the report. We do have Builtin/Administrator group with sysadmin privileges on the server, I am looking at removing that, but in the mean time could that be part of the answer?

  • Michelle

    If the login name is just Admin and not DomainName\Admin then that suggests it's a SQL login, so I'd say it won't be anything to do with BUILTIN\Administrators, which is a Windows login.  Is it possible that a service or application connects using the Admin login?

    John

  • John,

    Thanks for the reply. There is no Admin sql server login, so that is why I thought it may have something to do with the Builtin\Administrators account. Below is an example of what is in the report. I have tried to trace it back to hostname, but have only been able to contact one individual so far and he connects using a MS Access front end and a valid sql server login. Alot of the applications that have databases on the server use citrix. Could citrix default to login Admin? I'm really at a loss of where this is coming from.

    Login NameApplicationLogin TimeHostNameSpidProcess ID
    AdminMicrosoft Office XP08:18:35KYLSEWKS0667671128
    AdminMicrosoft Office XP12:38:08KYLSEWKS00025814284
    AdminMicrosoft Office XP14:21:37KYLSEWKS000554296
    AdminMicrosoft Office XP17:24:31KYLSEWKS00025312872

     

  • Is it possibe that these machines are not on the same domain with the SQL server or not on a domain at all? Having only a login name remarks me a standalone computer that tries to connect.

    Cheers,

    Zubeyir

  • The machines are not in the same domain as the SQL Server. The hostnames are client machines, at least for the one that I was able to contact. The user said that he accesses a database on the SQL Server instance through a citrix icon that uses MS Access application. The other weird thing is that he does not have Microsoft XP OS, so I'm not sure why that shows as application name, unless that is from the citrix server.

  • Now the things are clearer. The user uses citrix application so the machine name that comes to the SQL Server is the Citrix server therefore the login name is the "Admin" named user. The application (not OS) name is "Microsoft Office XP" since the user uses MS Access over Citrix.

    Hope that helps, and I'm not mistaken

    Zubeyir

  • Zubeyir,

    Thank you for responding, but I'm not sure I understand your explanation. The hostname for the user I was able to contact was his actual client machine not the citrix server, and there is no Admin sql server login on the server. So, where is that coming from unless he specifically tries to login with 'Admin' which he says he didn't do.

    Thanks,

    Michelle

  • I believe this is actually the default user 'Admin' for MS Access attempting to authenticate to SQL prior to using the connect string attributes. Provided it only shows up when using a pass-through query in Access.

  • How could I test that? I tried already by trying to connect through MS Access with a blank login/password thinking maybe it defaulted to 'Admin', but it showed up on the report as failed with a null login name. It did not try to connect with 'Admin'.

  • Try setting up a DSN using Windows authentication and have someone who can not login to the database with Windows authentication use the DSN.

  • The default login of Admin is something that comes frmo Access. I'd take a close look at all access fornt-end applications that you have. My guess is that you have an Access application that was 'upsized' to SQL Server and someone just missed the default code.

    RegardsRudy KomacsarSenior Database Administrator"Ave Caesar! - Morituri te salutamus."

Viewing 11 posts - 1 through 10 (of 10 total)

You must be logged in to reply to this topic. Login to reply