• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1649
  • Last Modified:

Failure Audit Security logs Event ID 529 occurring every 5 minutes

I am getting a security log "failure audit" (every 5 minutes like clock-work).

Event Properties

Event

Date: xx/xx/xxxx              Source: Security
Time: xx:xx:xxAM             Category: Logon/Logoff
Type: Failure Aud              Event ID:   529
User:    NT AUTHORITY\SYSTEM
Computer:   "ServerName"

Description:
Logon Failure:

    Reason:        Unknown user name or bad password
    User Name:   "Local admin user name"
    Domain:        "DomainName"
    Logon Type:   7
    Logon Process: Advapi
    Authentication Package:   Negotiate
    Workstation Name:         "ServerName"
    Caller User Name:            "ServerName$"
    Caller Domain:                 "DomainName"
    Caller Process ID:             2864
    Transited Services:  -      (nothing in this field)
    Source Network Address: -    (nothing in this field)
    Source Port:  -              (nothing in this field)
0
markc56
Asked:
markc56
  • 2
2 Solutions
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Security Event 529 is logged for local user accounts
http://support.microsoft.com/kb/811082

Open a command prompt and type "tasklist /svc" without the quotes ... .scroll down and check which service\application is using PID 2864 (mentioned in the Audit log)

Not sure if some Admin password is changed and not on the Application ?

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Is there any Scheduled task running every 5 minutes or application that tries to access some data every 5 minutes ..... maybe some changes needed on it ?

- Rancy
0
 
btanExec ConsultantCommented:
Looks like this http://support.microsoft.com/kb/890477

The auth package stated negotiation and it is referring to kerberos checks.
This problem occurs if you use a local user account to run the program and the WMI scripts that you use in the program require Administrators group membership verification. As mentioned by Rancy, can check out PID (it may changed if you reboot the station) to see the "culprit"

http://www.mydigitallife.info/how-to-get-and-view-process-identifier-process-id-or-pid-on-windows/
0
 
markc56Author Commented:
Thanks for the feedback. I will not have access to the server until Monday (8/27), but I will check along these lines first thing and post.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now