Solved

Failure Audit Event 529 filling security log files on client computers.

Posted on 2010-11-12
4
1,064 Views
Last Modified: 2013-12-04
We changed the administrator password two months ago on a SBSServer 2003 with about 30-40 clients running XP. A few of the clients security log files have filled up and without administrator rights they can't login without first logging in as administrator and changing the log to overwrite as needed. The logs continue to fill but that fixes the lockout issue. Here is an example of one of the log entries. Computers affected by this can log this 10 times or more in a second or two.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            11/12/2010
Time:            11:25:23 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ACI316
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      Administrator
       Domain:            ACI
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      CSCPC

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

0
Comment
Question by:aspenlife
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 79

Accepted Solution

by:
arnold earned 500 total points
ID: 34124436
This may mean that there is a service on those workstations that is running with login credentials of ACI\Administrator.

Use the services.msc as Administrator and then you can connect to the other systems.

And check whether there is a service that use ACI\Administrator for the login account.  Update the password or better still determine what access type this service needs and create a special domain user account with the correct rights/privileges such that its use will be limited as the login account for this service and such that future password changes to the domain Administrator account will not have the same issues.
 
The same is true for eventvwr.
Which is how you can make the adjustments so that the log file does not fill up.
0
 

Author Comment

by:aspenlife
ID: 34124751
Arnold, thank you for the fast response. Let me add something that I've just discovered that may narrow it down a bit. Two of the stations that have filled up reference a different workstation than the computer where the event is logged. In the example above the logs on computer ACI316 reference the workstation CSCPC which is a different station on the network. Like I said two XP systems in the network reference this CSCPC in their logs. I'm trying to gain access to that system now but would that point to something, perhaps malware, virus, etc. on the CSCPC? I also read that this log can be caused by a non PRO OS inside a domain not having the correct login information for a mapped drive as they can't join the domain. Any ideas on that? The password has been changed and this could be still trying to connect to a mapped drive with the old credentials.
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 500 total points
ID: 34125750
yes, it points to a share that the other workstation has established using the administrator i.e. an admin share \\workstation\c$.

You can use the workstation on which these errors are go through the computer management internface\system tools\shares\sessions and disconnect the session from the remote system that uses the administrator account that will be reflected as idle for a long time.  This portion of computer management can also be accessed remotely.

A non pro system would/might have had the admin setup a net use X: \\system\share /user:aic\administrator password /persistent:yes.

once the password for the domain admin change, the access to this resource will no longer be valid and will generate failure events on \\server.

This can also be an issue if there is a login script that has this type of information.
0
 

Author Comment

by:aspenlife
ID: 34125784
I'll double check the login scripts as well but I think you nailed the issue. Thank you for the help!
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Suggested Courses

621 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question