Failure Audit Security logs Event ID 529 occurring every 5 minutes

I am getting a security log "failure audit" (every 5 minutes like clock-work).

Event Properties

Event

Date: xx/xx/xxxx              Source: Security
Time: xx:xx:xxAM             Category: Logon/Logoff
Type: Failure Aud              Event ID:   529
User:    NT AUTHORITY\SYSTEM
Computer:   "ServerName"

Description:
Logon Failure:

    Reason:        Unknown user name or bad password
    User Name:   "Local admin user name"
    Domain:        "DomainName"
    Logon Type:   7
    Logon Process: Advapi
    Authentication Package:   Negotiate
    Workstation Name:         "ServerName"
    Caller User Name:            "ServerName$"
    Caller Domain:                 "DomainName"
    Caller Process ID:             2864
    Transited Services:  -      (nothing in this field)
    Source Network Address: -    (nothing in this field)
    Source Port:  -              (nothing in this field)
LVL 3
markc56Asked:
Who is Participating?
 
Manpreet SIngh KhatraConnect With a Mentor Solutions Architect, Project LeadCommented:
Security Event 529 is logged for local user accounts
http://support.microsoft.com/kb/811082

Open a command prompt and type "tasklist /svc" without the quotes ... .scroll down and check which service\application is using PID 2864 (mentioned in the Audit log)

Not sure if some Admin password is changed and not on the Application ?

- Rancy
0
 
Manpreet SIngh KhatraSolutions Architect, Project LeadCommented:
Is there any Scheduled task running every 5 minutes or application that tries to access some data every 5 minutes ..... maybe some changes needed on it ?

- Rancy
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Looks like this http://support.microsoft.com/kb/890477

The auth package stated negotiation and it is referring to kerberos checks.
This problem occurs if you use a local user account to run the program and the WMI scripts that you use in the program require Administrators group membership verification. As mentioned by Rancy, can check out PID (it may changed if you reboot the station) to see the "culprit"

http://www.mydigitallife.info/how-to-get-and-view-process-identifier-process-id-or-pid-on-windows/
0
 
markc56Author Commented:
Thanks for the feedback. I will not have access to the server until Monday (8/27), but I will check along these lines first thing and post.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.