Solved

Failure Audit Event 529 filling security log files on client computers.

Posted on 2010-11-12
4
1,050 Views
Last Modified: 2013-12-04
We changed the administrator password two months ago on a SBSServer 2003 with about 30-40 clients running XP. A few of the clients security log files have filled up and without administrator rights they can't login without first logging in as administrator and changing the log to overwrite as needed. The logs continue to fill but that fixes the lockout issue. Here is an example of one of the log entries. Computers affected by this can log this 10 times or more in a second or two.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/12/2010
Time:            11:25:23 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ACI316
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ACI
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CSCPC

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

0
Comment
Question by:aspenlife
  • 2
  • 2
4 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 34124436
This may mean that there is a service on those workstations that is running with login credentials of ACI\Administrator.

Use the services.msc as Administrator and then you can connect to the other systems.

And check whether there is a service that use ACI\Administrator for the login account.  Update the password or better still determine what access type this service needs and create a special domain user account with the correct rights/privileges such that its use will be limited as the login account for this service and such that future password changes to the domain Administrator account will not have the same issues.
 
The same is true for eventvwr.
Which is how you can make the adjustments so that the log file does not fill up.
0
 

Author Comment

by:aspenlife
ID: 34124751
Arnold, thank you for the fast response. Let me add something that I've just discovered that may narrow it down a bit. Two of the stations that have filled up reference a different workstation than the computer where the event is logged. In the example above the logs on computer ACI316 reference the workstation CSCPC which is a different station on the network. Like I said two XP systems in the network reference this CSCPC in their logs. I'm trying to gain access to that system now but would that point to something, perhaps malware, virus, etc. on the CSCPC? I also read that this log can be caused by a non PRO OS inside a domain not having the correct login information for a mapped drive as they can't join the domain. Any ideas on that? The password has been changed and this could be still trying to connect to a mapped drive with the old credentials.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 34125750
yes, it points to a share that the other workstation has established using the administrator i.e. an admin share \\workstation\c$.

You can use the workstation on which these errors are go through the computer management internface\system tools\shares\sessions and disconnect the session from the remote system that uses the administrator account that will be reflected as idle for a long time.  This portion of computer management can also be accessed remotely.

A non pro system would/might have had the admin setup a net use X: \\system\share /user:aic\administrator password /persistent:yes.

once the password for the domain admin change, the access to this resource will no longer be valid and will generate failure events on \\server.

This can also be an issue if there is a login script that has this type of information.
0
 

Author Comment

by:aspenlife
ID: 34125784
I'll double check the login scripts as well but I think you nailed the issue. Thank you for the help!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This article lists the top 5 free OST to PST Converter Tools. These tools save a lot of time for users when they want to convert OST to PST after their exchange server is no longer available or some other critical issue with exchange server or impor…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question