I have a user that everytime they are on their laptop from home and while they are using it I get hit with many Event ID 529 on my logs.
This is what my SBS Report looks like:
Source Event ID Last Occurrence Total Occurrences
Security 529 12/13/2011 9:40 PM 63 *
Reason: Unknown user name or bad password
User Name: LAPTOP-NAME$
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: LAPTOP-NAME
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 188.8.131.52
Source Port: 52935
That is the info I get on my report via email from SBS 2003.
When I look in the event viewer in my SBS, I see each individual entry seconds apart starting from 8:32:35PM Failure Audit to 9:40:27PM on the date of 12/13/2011, that is when the user is using their laptop. Why are there so many entries during that time while the user is on the laptop? Can they be under attack? Or is there a glitch on their system? They do tell me that sometimes they enter an incorrect password. But I had other users whom incorrectly enetered their password and all I get is on entry on the log file and only one occurence in my SBS reprt via email.
That users computer is Windows 7 and my server is SBS 2003.