Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Failure Audit Event 529 filling security log files on client computers.

Posted on 2010-11-12
4
Medium Priority
?
1,068 Views
Last Modified: 2013-12-04
We changed the administrator password two months ago on a SBSServer 2003 with about 30-40 clients running XP. A few of the clients security log files have filled up and without administrator rights they can't login without first logging in as administrator and changing the log to overwrite as needed. The logs continue to fill but that fixes the lockout issue. Here is an example of one of the log entries. Computers affected by this can log this 10 times or more in a second or two.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/12/2010
Time:            11:25:23 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ACI316
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ACI
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CSCPC

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

0
Comment
Question by:aspenlife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 2000 total points
ID: 34124436
This may mean that there is a service on those workstations that is running with login credentials of ACI\Administrator.

Use the services.msc as Administrator and then you can connect to the other systems.

And check whether there is a service that use ACI\Administrator for the login account.  Update the password or better still determine what access type this service needs and create a special domain user account with the correct rights/privileges such that its use will be limited as the login account for this service and such that future password changes to the domain Administrator account will not have the same issues.
 
The same is true for eventvwr.
Which is how you can make the adjustments so that the log file does not fill up.
0
 

Author Comment

by:aspenlife
ID: 34124751
Arnold, thank you for the fast response. Let me add something that I've just discovered that may narrow it down a bit. Two of the stations that have filled up reference a different workstation than the computer where the event is logged. In the example above the logs on computer ACI316 reference the workstation CSCPC which is a different station on the network. Like I said two XP systems in the network reference this CSCPC in their logs. I'm trying to gain access to that system now but would that point to something, perhaps malware, virus, etc. on the CSCPC? I also read that this log can be caused by a non PRO OS inside a domain not having the correct login information for a mapped drive as they can't join the domain. Any ideas on that? The password has been changed and this could be still trying to connect to a mapped drive with the old credentials.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 2000 total points
ID: 34125750
yes, it points to a share that the other workstation has established using the administrator i.e. an admin share \\workstation\c$.

You can use the workstation on which these errors are go through the computer management internface\system tools\shares\sessions and disconnect the session from the remote system that uses the administrator account that will be reflected as idle for a long time.  This portion of computer management can also be accessed remotely.

A non pro system would/might have had the admin setup a net use X: \\system\share /user:aic\administrator password /persistent:yes.

once the password for the domain admin change, the access to this resource will no longer be valid and will generate failure events on \\server.

This can also be an issue if there is a login script that has this type of information.
0
 

Author Comment

by:aspenlife
ID: 34125784
I'll double check the login scripts as well but I think you nailed the issue. Thank you for the help!
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question