User laptop reports too many event 529 when using laptop

I have a user that everytime they are on their laptop from home and while they are using it I get hit with many Event ID 529 on my logs.
This is what my SBS Report looks like:

Source Event ID Last Occurrence Total Occurrences
  Security 529 12/13/2011 9:40 PM 63 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: LAPTOP-NAME$
  Domain: DomainNameRemovedByMe
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: LAPTOP-NAME
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 11.1.1.44
  Source Port: 52935
 
That is the info I get on my report via email from SBS 2003.
When I look in the event viewer in my SBS, I see each individual entry seconds apart starting from 8:32:35PM Failure Audit to 9:40:27PM on the date of 12/13/2011, that is when the user is using their laptop.  Why are there so many entries during that time while the user is on the laptop?  Can they be under attack?  Or is there a glitch on their system?  They do tell me that sometimes they enter an incorrect password.  But I had other users whom incorrectly enetered their password and all I get is on entry on the log file and only one occurence in my SBS reprt via email.
Please advise.
That users computer is Windows 7 and my server is SBS 2003.
j_ramesesInfo Sys MngrAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Arman KhodabandeIT Manager and ConsultantCommented:
Hi
Logon Type (3) shows that this event is not from a local logon and is from Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon.
There is a case that may be similar to yours and is caused when a computer is having problems to connect with Active Directory or because support uses the local Administrator to patch systems or perform other kind of maintenance.
Or
If you have AD and every time a "not valid user" tries to access Internet it causes access denied because this user is not a valid domain user.

And see 11.1.1.44  represents what computer in the network.
0
j_ramesesInfo Sys MngrAuthor Commented:
kpax77,

Are you saying that the user of the laptop may be trying to use the administrator account instead of their own?  This laptop belongs to the owner of the company.  The owner told me that sometimes they enter the password incorrectly because they are entering it quickly.  But my concern is why so many entries in the log file and the SBS report?  I know they are not enetering it incorrectly 63+ times within seconds and through their use of the laptop.  Those 63+ entries are happening within a 3-hour time frame while they are using the laptop.  I had other users entered their password incorrectly and all I get is a hit of one on the SBS report and the log file.

What can be happening?
0
j_ramesesInfo Sys MngrAuthor Commented:
I just got this morning's SBS Report, 135 hits:

Source Event ID Last Occurrence Total Occurrences
  Security 529 12/14/2011 10:56 PM 135 *
Logon Failure:
  Reason: Unknown user name or bad password
  User Name: LAPTOP-NAME$
  Domain: BDRN
  Logon Type: 3
  Logon Process: NtLmSsp
  Authentication Package: NTLM
  Workstation Name: LAPTOP_NAME
  Caller User Name: -
  Caller Domain: -
  Caller Logon ID: -
  Caller Process ID: -
  Transited Services: -
  Source Network Address: 11.1.1.44
  Source Port: 58551
 
Something must be going on?
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Arman KhodabandeIT Manager and ConsultantCommented:
1. What does this IP address represent on your network? :  11.1.1.44
2. Does this computer share something with other computers which may not have the correct access permissions?
(Logon comes from outside of computer)
Most likely it's not an attack and comes from another computer which is trying to access some data on your laptop.
0
j_ramesesInfo Sys MngrAuthor Commented:
kpax77,

IP address is not from our network.
Maybe its a VPN IP address?
How can I find out ?
0
j_ramesesInfo Sys MngrAuthor Commented:
kpax77, No that laptop does not share its resources with any other computer/laptop.
0
Arman KhodabandeIT Manager and ConsultantCommented:
1.IP tracing result: http://en.utrace.de/ip-address/11.1.1.44
Is it familiar with you?

2. Go to my computer and click Network on the bottom left hand side, To see your computer name and if something is shared or not. Network
0
j_ramesesInfo Sys MngrAuthor Commented:
I did #2, and it only displays their laptop.

#1, do I do that from their laptop or server?
0
Arman KhodabandeIT Manager and ConsultantCommented:
That Ip shows that computer which is trying to access your computer is from        DoD Network Information Center      Region: Columbus (US)
Are you in the same region or you're getting some kind of service from this center? (It wants to access your computer)

About #2 did you click on the plus Icon to show what is shared or not?
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Arman KhodabandeIT Manager and ConsultantCommented:
There's only me answering the question . . .

Kpax7
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.