Solved

Failure Audit Event 529 filling security log files on client computers.

Posted on 2010-11-12
4
1,039 Views
Last Modified: 2013-12-04
We changed the administrator password two months ago on a SBSServer 2003 with about 30-40 clients running XP. A few of the clients security log files have filled up and without administrator rights they can't login without first logging in as administrator and changing the log to overwrite as needed. The logs continue to fill but that fixes the lockout issue. Here is an example of one of the log entries. Computers affected by this can log this 10 times or more in a second or two.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/12/2010
Time:            11:25:23 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ACI316
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ACI
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CSCPC

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

0
Comment
Question by:aspenlife
  • 2
  • 2
4 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 34124436
This may mean that there is a service on those workstations that is running with login credentials of ACI\Administrator.

Use the services.msc as Administrator and then you can connect to the other systems.

And check whether there is a service that use ACI\Administrator for the login account.  Update the password or better still determine what access type this service needs and create a special domain user account with the correct rights/privileges such that its use will be limited as the login account for this service and such that future password changes to the domain Administrator account will not have the same issues.
 
The same is true for eventvwr.
Which is how you can make the adjustments so that the log file does not fill up.
0
 

Author Comment

by:aspenlife
ID: 34124751
Arnold, thank you for the fast response. Let me add something that I've just discovered that may narrow it down a bit. Two of the stations that have filled up reference a different workstation than the computer where the event is logged. In the example above the logs on computer ACI316 reference the workstation CSCPC which is a different station on the network. Like I said two XP systems in the network reference this CSCPC in their logs. I'm trying to gain access to that system now but would that point to something, perhaps malware, virus, etc. on the CSCPC? I also read that this log can be caused by a non PRO OS inside a domain not having the correct login information for a mapped drive as they can't join the domain. Any ideas on that? The password has been changed and this could be still trying to connect to a mapped drive with the old credentials.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 34125750
yes, it points to a share that the other workstation has established using the administrator i.e. an admin share \\workstation\c$.

You can use the workstation on which these errors are go through the computer management internface\system tools\shares\sessions and disconnect the session from the remote system that uses the administrator account that will be reflected as idle for a long time.  This portion of computer management can also be accessed remotely.

A non pro system would/might have had the admin setup a net use X: \\system\share /user:aic\administrator password /persistent:yes.

once the password for the domain admin change, the access to this resource will no longer be valid and will generate failure events on \\server.

This can also be an issue if there is a login script that has this type of information.
0
 

Author Comment

by:aspenlife
ID: 34125784
I'll double check the login scripts as well but I think you nailed the issue. Thank you for the help!
0

Featured Post

[Webinar] Disaster Recovery and Cloud Management

Learn from Unigma and CloudBerry industry veterans which providers are best for certain use cases and how to lower cloud costs, how to grow your Managed Services practice in IaaS clouds, and how to utilize public cloud for Disaster Recovery

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
Read this checklist to learn more about the 15 things you should never include in an email signature.
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
how to add IIS SMTP to handle application/Scanner relays into office 365.

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now