User laptop reports too many event 529 when using laptop
I have a user that everytime they are on their laptop from home and while they are using it I get hit with many Event ID 529 on my logs.
This is what my SBS Report looks like:
Source Event ID Last Occurrence Total Occurrences
Security 529 12/13/2011 9:40 PM 63 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: LAPTOP-NAME$
Domain: DomainNameRemovedByMe
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LAPTOP-NAME
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 11.1.1.44
Source Port: 52935
That is the info I get on my report via email from SBS 2003.
When I look in the event viewer in my SBS, I see each individual entry seconds apart starting from 8:32:35PM Failure Audit to 9:40:27PM on the date of 12/13/2011, that is when the user is using their laptop. Why are there so many entries during that time while the user is on the laptop? Can they be under attack? Or is there a glitch on their system? They do tell me that sometimes they enter an incorrect password. But I had other users whom incorrectly enetered their password and all I get is on entry on the log file and only one occurence in my SBS reprt via email.
Please advise.
That users computer is Windows 7 and my server is SBS 2003.
This is what my SBS Report looks like:
Source Event ID Last Occurrence Total Occurrences
Security 529 12/13/2011 9:40 PM 63 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: LAPTOP-NAME$
Domain: DomainNameRemovedByMe
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LAPTOP-NAME
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 11.1.1.44
Source Port: 52935
That is the info I get on my report via email from SBS 2003.
When I look in the event viewer in my SBS, I see each individual entry seconds apart starting from 8:32:35PM Failure Audit to 9:40:27PM on the date of 12/13/2011, that is when the user is using their laptop. Why are there so many entries during that time while the user is on the laptop? Can they be under attack? Or is there a glitch on their system? They do tell me that sometimes they enter an incorrect password. But I had other users whom incorrectly enetered their password and all I get is on entry on the log file and only one occurence in my SBS reprt via email.
Please advise.
That users computer is Windows 7 and my server is SBS 2003.
ASKER
kpax77,
Are you saying that the user of the laptop may be trying to use the administrator account instead of their own? This laptop belongs to the owner of the company. The owner told me that sometimes they enter the password incorrectly because they are entering it quickly. But my concern is why so many entries in the log file and the SBS report? I know they are not enetering it incorrectly 63+ times within seconds and through their use of the laptop. Those 63+ entries are happening within a 3-hour time frame while they are using the laptop. I had other users entered their password incorrectly and all I get is a hit of one on the SBS report and the log file.
What can be happening?
Are you saying that the user of the laptop may be trying to use the administrator account instead of their own? This laptop belongs to the owner of the company. The owner told me that sometimes they enter the password incorrectly because they are entering it quickly. But my concern is why so many entries in the log file and the SBS report? I know they are not enetering it incorrectly 63+ times within seconds and through their use of the laptop. Those 63+ entries are happening within a 3-hour time frame while they are using the laptop. I had other users entered their password incorrectly and all I get is a hit of one on the SBS report and the log file.
What can be happening?
ASKER
I just got this morning's SBS Report, 135 hits:
Source Event ID Last Occurrence Total Occurrences
Security 529 12/14/2011 10:56 PM 135 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: LAPTOP-NAME$
Domain: BDRN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LAPTOP_NAME
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 11.1.1.44
Source Port: 58551
Something must be going on?
Source Event ID Last Occurrence Total Occurrences
Security 529 12/14/2011 10:56 PM 135 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: LAPTOP-NAME$
Domain: BDRN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LAPTOP_NAME
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 11.1.1.44
Source Port: 58551
Something must be going on?
1. What does this IP address represent on your network? : 11.1.1.44
2. Does this computer share something with other computers which may not have the correct access permissions?
(Logon comes from outside of computer)
Most likely it's not an attack and comes from another computer which is trying to access some data on your laptop.
2. Does this computer share something with other computers which may not have the correct access permissions?
(Logon comes from outside of computer)
Most likely it's not an attack and comes from another computer which is trying to access some data on your laptop.
ASKER
kpax77,
IP address is not from our network.
Maybe its a VPN IP address?
How can I find out ?
IP address is not from our network.
Maybe its a VPN IP address?
How can I find out ?
ASKER
kpax77, No that laptop does not share its resources with any other computer/laptop.
1.IP tracing result: http://en.utrace.de/ip-address/11.1.1.44
Is it familiar with you?
2. Go to my computer and click Network on the bottom left hand side, To see your computer name and if something is shared or not.
Is it familiar with you?
2. Go to my computer and click Network on the bottom left hand side, To see your computer name and if something is shared or not.
ASKER
I did #2, and it only displays their laptop.
#1, do I do that from their laptop or server?
#1, do I do that from their laptop or server?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
There's only me answering the question . . .
Kpax7
Kpax7
Logon Type (3) shows that this event is not from a local logon and is from Network (i.e. connection to shared folder on this computer from elsewhere on network or IIS logon.
There is a case that may be similar to yours and is caused when a computer is having problems to connect with Active Directory or because support uses the local Administrator to patch systems or perform other kind of maintenance.
Or
If you have AD and every time a "not valid user" tries to access Internet it causes access denied because this user is not a valid domain user.
And see 11.1.1.44 represents what computer in the network.