Dear all,

I discovered that MsExchangeSa (mad.exe) for some reason tries to
authenticate as domain\administrator and effect is that our domain admin is
constantly locked.

In security log I have event id 529: (repeatedly 2 times every 5 Minutes)

Logon Failure:
Reason:  Unknown user name or bad password
User Name: Administrator
Logon Type: 7
Logon Process: Advapi
Authentication Package: Negotiate
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 4248

PID 4248 belogs to mad.exe

I suppose that it tries to authenticate with bad password.

Currently we have this Exchange server 2003 with sp2 on DC which I know that
is not recommended configuration but because of some other things I am not
able to remove it at the moment.

Please help me how to solve this issue.

Do you have any other software installed on your exchange server? may be
something like a shareware or a freeware.

M.

Is the service configured to log on using the administrator account?
Exchange 2003 does not require a service account - it uses LocalSystem by
default.

Exchange Server 2003  -->  Understanding Windows Services Architecture
http://technet.microsoft.com/en-us/library/aa998749(EXCHG.65).aspx
--
Bharat Suneja
Microsoft Corporation
blog: exchangepedia.com/blog

This posting is provided "AS IS" with no warranties, and confers no
rights. Please do not send email directly to this alias. This alias is for
newsgroup purposes only.
------------------------------------------

Hi Barat,

(MAD.EXE) Microsoft Exchange System Attendant service is using Logon as
Local system account

Regards

Boxer

So change it to use "Local System account". There is no good reason why
it should be using some other account.
---
Rich Matheisen
MCSE+I, Exchange MVP

Hi  Rich,

but it is under "Local System account"

So it is not problem in this

Regards

A logon type of "7" is someone, or something, unlocking the console
after it's been locked by a screensaver.

Not sure why mad.exe would be doing that unless there's something
really wrong. Malware? Virus? Rootkit?
---
Rich Matheisen
MCSE+I, Exchange MVP

Look this (this guy has similiar case)

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_23741341.html

Exchange 2003 AD problem, MAD.exe, after changing admin passwords
Asked by UrsX in Exchange Email Server
Tags: Microsoft, Exchange, 2003 SP2
Hi everyone,
ever since we changed admin passwords (domain users administrator and
exchange admin), we have "strange" behaviour of Exchange. To be precise, it
is since the system-restart after changing the passwords. The problem may
also just be related to something else which took effect after the restart,
but I don't think so.
This is what we've got: every 5 Minutes 2 unsuccessful user logons (Security
event 529) by the domain administrator, Advapi, process 2560. 2560 stands
for MAD.exe.

_______________________________________________________

That's what I am talking about
There is no viruses or similiar threats, we have Sophos antivirus installed
and updated.

Regards

Okay -- so what was their fix for this?
---
Rich Matheisen
MCSE+I, Exchange MVP

I can not see the solution because it is not free. You must pay some
dollars, entering credit card number etc . I do not wont to do that because
I do not pay with my credit card over the Internet ...

There is Free trial but you must enter credit card number... (silly them)

Regards