General discussion

Locked

strange logs in the event viewer

By trackme ·
Hi ,
i got a small network with some 40 and odd machines ,one DHCP server serving all these clients .
My question is whenever i see the event viewer security log it shows me that some log on attempts from client machines have failed .i cleared the security log and i can still see the same from other clients also attemting to log on and the process failed .
I have given the log file below with names changed for the clients and the server ..
---------------------------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event I 529
Date: 9/1/2003
Time: 10:37:13 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Client
Domain: Client2
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: Client2
-----------------
Where SERVER is my Server machine and client2 is the client machine and the username of this machine is client..
The same happens from other machines also ..i dont what is the meaning of this and what it it trying to do and is it a problem ,if so what should i do to prevent this ..
waitng for ur answers
anantha

This conversation is currently closed to new comments.

2 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Comments

Collapse -

by CG IT In reply to strange logs in the event ...

well I looked at Microsoft Help & Support and they have a couple of articles on Event 529. If the workstation is a XP, this seems to be a bug [see article 811082] in the local user account and Microsoft is investigating it. see http://support.microsoft.com/default.aspx?scid=kb;en-us;811082

The other two articles are 150530 & 312827 . First one deals with W95 O/S workstations the other one deals with custom authentication packages.

Collapse -

by Joseph Moore In reply to strange logs in the event ...

Remember that Services and Scheduled Jobs can run under user account context. And that could be the problem here.
Maybe on CLIENT2, it has a Service that is running under the CLIENT username and password. What happens when you do this is that when the password for CLIENT changes later on, the changed password does NOT replicate to this running Service.
Then when the Service tries to start, it attempts to authenticate the username and password. Since the Service has the old password, the authentication fails.
That is recorded on a domain controller as a Event ID 529 message.

So, check out the CLIENT2 machine for Services and/or Scheduled Jobs. See if any run as CLIENT. If so, then that is your problem.

Back to Windows Forum
2 total posts (Page 1 of 1)  

Related Discussions

Related Forums