General discussion

  • Creator
    Topic
  • #2307443

    strange logs in the event viewer

    Locked

    by trackme ·

    Hi ,
    i got a small network with some 40 and odd machines ,one DHCP server serving all these clients .
    My question is whenever i see the event viewer security log it shows me that some log on attempts from client machines have failed .i cleared the security log and i can still see the same from other clients also attemting to log on and the process failed .
    I have given the log file below with names changed for the clients and the server ..
    ———————————————
    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 9/1/2003
    Time: 10:37:13 AM
    User: NT AUTHORITY\SYSTEM
    Computer: SERVER
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Client
    Domain: Client2
    Logon Type: 3
    Logon Process: NtLmSsp
    Authentication Package: NTLM
    Workstation Name: Client2
    —————–
    Where SERVER is my Server machine and client2 is the client machine and the username of this machine is client..
    The same happens from other machines also ..i dont what is the meaning of this and what it it trying to do and is it a problem ,if so what should i do to prevent this ..
    waitng for ur answers
    anantha

All Comments

  • Author
    Replies
    • #2746624

      Reply To: strange logs in the event viewer

      by cg it ·

      In reply to strange logs in the event viewer

      well I looked at Microsoft Help & Support and they have a couple of articles on Event 529. If the workstation is a XP, this seems to be a bug [see article 811082] in the local user account and Microsoft is investigating it. see http://support.microsoft.com/default.aspx?scid=kb;en-us;811082

      The other two articles are 150530 & 312827 . First one deals with W95 O/S workstations the other one deals with custom authentication packages.

    • #2746594

      Reply To: strange logs in the event viewer

      by joseph moore ·

      In reply to strange logs in the event viewer

      Remember that Services and Scheduled Jobs can run under user account context. And that could be the problem here.
      Maybe on CLIENT2, it has a Service that is running under the CLIENT username and password. What happens when you do this is that when the password for CLIENT changes later on, the changed password does NOT replicate to this running Service.
      Then when the Service tries to start, it attempts to authenticate the username and password. Since the Service has the old password, the authentication fails.
      That is recorded on a domain controller as a Event ID 529 message.

      So, check out the CLIENT2 machine for Services and/or Scheduled Jobs. See if any run as CLIENT. If so, then that is your problem.

Viewing 1 reply thread