Thanks, but no jobs owned by 'NT AUTHORITY\SYSTEM' just 'NT SERVICE\SQLSERVERAGENT' owned ones.
I did a SQL Profiler trace (Audit) and see a lot of these kind of queries, issued by NT AUTHORITY\SYSTEM via the Windows script Host, going on at the time of the login failures:
SELECT
d.name
, d.database_id
, CASE WHEN d.replica_id IS NULL THEN 0 ELSE 1 END AS is_replica
, ar.secondary_role_allow_connections
FROM sys.databases d
JOIN sys.availability_replicas ar on d.replica_id = ar.replica_id
JOIN sys.servers s ON s.name = ar.replica_server_name AND s.server_id = 0 /*local server*/
WHERE d.database_id = 18
What is this?
High Availability? We got it disabled...
Replication? We got it disabled...
Hmm.