Re: Event Viewer Question
From: Steven Umbach (n9rou_at_n0spam-comcast.net)
Date: 02/03/04
- Next message: Michael: "Re: warning, IE is STILL broken in latest hotfix MS04-004 / KB832894"
- Previous message: Jose Alvarez: "802.1x and Windows 2003"
- In reply to: Jim: "Event Viewer Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 03 Feb 2004 00:00:34 GMT
I have seen multiple events, but not that many. I would check that your AD is
set up correctly by running netdiag and dcdiag [they are on install cd under
support/tools - run setup] on the domain controller and netdiag on the XP
Machine. Also be sure that the domain controller is pointing to itself and the
XP machine is pointing to the domain controller as their preferred dns server in
tcp/ip properties and NEVER an ISP dns server for any domain machine. If the W2K
machine is the domain controller, then restricting access to the administrators
group only for network will cause a lot of authentication problems and perhaps
the reason for the multiple events. Computers need to also have network access
to the domain controller for machine authentication. See the KB link below for
explanation of user rights for network access needed to a domain controller
[either everyone or authenticated users is needed]. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;EN-US;823659
"Jim" <ncjem@yahoo.com> wrote in message
news:e9ef0710.0402021305.33cbf614@posting.google.com...
> I have a question about an event in my security logs. Here is the
> situation:
>
> I have 2 machines that are in the same domain. One is running Windows
> 2000 Server (workstation name = JIMLAB2K) and the other is running
> Windows XP Professional (workstation name = JIMLABXP1).
>
> On the Windows 2000 machine I modified the "Access the computer from
> the network" right to only include administrators. I then logged into
> the Windows XP machine as a test user that is a member of the domain
> but is not a member of the administrators group on the Windows 2000
> machine. Once logged in, I selected "Start, Run" and typed in
> \\JIMLAB2K\c$. As expected I received an error message that said I
> have not been granted the requested logon type at this computer.
>
> When I look in the event log, I see 17 Failure Audit events that look
> like this:
>
> Date: mm/dd/yyyy
> Source: Security
> Time: hh/mm
> Category: Logon/Logoff
> Type: Failure
> Event ID: 534
> User: NT AUTHORITY\SYSTEM
> Computer: JIMLAB2K
> Description:
> Logon Failure:
> Reason: The user has not been granted the requested logon
> type at this machine
> User Name:
> Domain:
> Logon Type: 3
> Logon Process: Kerberos
> Authentication Package: Kerberos
> Workstation Name: -
>
> My questions are this:
>
> 1. Why are their 17 events captured for one logon attempt?
>
> 2. Why doesn't the user name and domain populate with the username
> and domain that I attempted to connect with?
>
> 3. Why doesn't the workstation name that I attempted to connect from
> show up?
>
> 4. If this is occuring by design, then how do I know where this event
> is coming from so that I can investigate it?
>
> Thanks in advance for any assistance provided.
>
> Jim
- Next message: Michael: "Re: warning, IE is STILL broken in latest hotfix MS04-004 / KB832894"
- Previous message: Jose Alvarez: "802.1x and Windows 2003"
- In reply to: Jim: "Event Viewer Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
