Solved

Failure Audit Event 529 filling security log files on client computers.

Posted on 2010-11-12
4
1,044 Views
Last Modified: 2013-12-04
We changed the administrator password two months ago on a SBSServer 2003 with about 30-40 clients running XP. A few of the clients security log files have filled up and without administrator rights they can't login without first logging in as administrator and changing the log to overwrite as needed. The logs continue to fill but that fixes the lockout issue. Here is an example of one of the log entries. Computers affected by this can log this 10 times or more in a second or two.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/12/2010
Time:            11:25:23 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ACI316
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ACI
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CSCPC

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

0
Comment
Question by:aspenlife
  • 2
  • 2
4 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 500 total points
ID: 34124436
This may mean that there is a service on those workstations that is running with login credentials of ACI\Administrator.

Use the services.msc as Administrator and then you can connect to the other systems.

And check whether there is a service that use ACI\Administrator for the login account.  Update the password or better still determine what access type this service needs and create a special domain user account with the correct rights/privileges such that its use will be limited as the login account for this service and such that future password changes to the domain Administrator account will not have the same issues.
 
The same is true for eventvwr.
Which is how you can make the adjustments so that the log file does not fill up.
0
 

Author Comment

by:aspenlife
ID: 34124751
Arnold, thank you for the fast response. Let me add something that I've just discovered that may narrow it down a bit. Two of the stations that have filled up reference a different workstation than the computer where the event is logged. In the example above the logs on computer ACI316 reference the workstation CSCPC which is a different station on the network. Like I said two XP systems in the network reference this CSCPC in their logs. I'm trying to gain access to that system now but would that point to something, perhaps malware, virus, etc. on the CSCPC? I also read that this log can be caused by a non PRO OS inside a domain not having the correct login information for a mapped drive as they can't join the domain. Any ideas on that? The password has been changed and this could be still trying to connect to a mapped drive with the old credentials.
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 34125750
yes, it points to a share that the other workstation has established using the administrator i.e. an admin share \\workstation\c$.

You can use the workstation on which these errors are go through the computer management internface\system tools\shares\sessions and disconnect the session from the remote system that uses the administrator account that will be reflected as idle for a long time.  This portion of computer management can also be accessed remotely.

A non pro system would/might have had the admin setup a net use X: \\system\share /user:aic\administrator password /persistent:yes.

once the password for the domain admin change, the access to this resource will no longer be valid and will generate failure events on \\server.

This can also be an issue if there is a login script that has this type of information.
0
 

Author Comment

by:aspenlife
ID: 34125784
I'll double check the login scripts as well but I think you nailed the issue. Thank you for the help!
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

815 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now