Re: Re: Security Event ID 534

From: zmurof (UseLinkToEmail_at_WindowsForumz.com)
Date: 03/22/05

• Next message: Murali.A: "How to export W2K Effective Policy Setting?"
• Previous message: rodchar: "Re: certificate authority"
• Next in thread: Steven L Umbach: "Re: Re: Security Event ID 534"
• Reply: Steven L Umbach: "Re: Re: Security Event ID 534"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: 22 Mar 2005 01:04:29 -0500

"Steven Umbach" wrote:
> Hmm. Is anybody being denied access to the computer or is
> anything else failing
> or not working right?? How often are these events showing up??
> Is this a domain
> controller? Try enabling auditing of privilege use and object
> access for failure
> only to see if anything else is being recorded for those audit
> categories at the
> same time that may provide a clue. There was a problem with
> Event 534 on XP Pro
> computers, but have not heard about the same problem for
> Windows 2000. --- Steve
>
> http://support.microsoft.com/?kbid=841399
>
> "Richard Smith" <RichardSmith@discussions.microsoft.com> wrote
> in message
> news:950582DC-8507-46B1-8328-E2B6D541D98D@microsoft.com...
> > Steven, thanks for the reply...
> >
> > I have checked the "deny access from the network" local
> policy and there are
> > nothing specified. Also there are no corrosponding events in
> the app and
> > system logs.
> >
> > Im still stumped...
> >
> >
> >
> > "Steven Umbach" wrote:
> >
> &nbsp;> > I am not sure exactly what is going on but the
> reason would be a lack of
> &nbsp;> > privilege for the user right for access this
> computer from the network. You
> can
> &nbsp;> > open Local Security Policy and go to security
> settings/local policies/user
> &nbsp;> > rights and check for that user right and for deny
> access to this computer
> from
> &nbsp;> > the network that will override any allow settings to
> make sure it is
> correct.
> &nbsp;> > Normally at least users and administrators have the
> user right to access
> this
> &nbsp;> > computer from the network. Check the application and
> system logs to see if
> there
> &nbsp;> > any other possible events correlating to these
> errors by time. ---- Steve
> &nbsp;> >
> &nbsp;> >
> &nbsp;> > "Richard Smith"
> &lt;RichardSmith@discussions.microsoft.com&gt; wrote in
> message
> &nbsp;> >
> news:9DC611AD-F31E-4F9B-9E71-DFBBE7F000D7@microsoft.com...
> &nbsp;&nbsp;> > > Hello,
> &nbsp;&nbsp;> > >
> &nbsp;&nbsp;> > > I am seeing alot of these Security Event Log
> errors on my Windows 2000
> &nbsp;&nbsp;> > > Server.
> &nbsp;&nbsp;> > >
> &nbsp;&nbsp;> > > Type: Audit Failure
> &nbsp;&nbsp;> > > Source: Security
> &nbsp;&nbsp;> > > Event ID: 534
> &nbsp;&nbsp;> > > Event Time: &lt;Date and Time&gt;
> &nbsp;&nbsp;> > > User: NT AUTHORITYSYSTEM
> &nbsp;&nbsp;> > > Computer: &lt;computername&gt;
> &nbsp;&nbsp;> > > Description:
> &nbsp;&nbsp;> > > Logon Failure:
> &nbsp;&nbsp;> > > Reason: The user has not been granted the
> requested
> &nbsp;&nbsp;> > > logon type at this machine
> &nbsp;&nbsp;> > > User Name:
> &nbsp;&nbsp;> > > Domain:
> &nbsp;&nbsp;> > > Logon Type: 3
> &nbsp;&nbsp;> > > Logon Process: Kerberos
> &nbsp;&nbsp;> > > Authentication Package: Kerberos
> &nbsp;&nbsp;> > > Workstation Name: -
> &nbsp;&nbsp;> > >
> &nbsp;&nbsp;> > > The error seem to be saying that the SYSTEM
> account is trying to logon
> from
> &nbsp;&nbsp;> > > the Network (logon type 3) and is failing.
> However I dont understand why
> the
> &nbsp;&nbsp;> > > local System account would be accessing the
> server from the network!
> Doesnt
> &nbsp;&nbsp;> > > make sense to me.
> &nbsp;&nbsp;> > >
> &nbsp;&nbsp;> > > Any light that could be shed on why Im
> getting these errors, would be a
> huge
> &nbsp;&nbsp;> > > help.
> &nbsp;&nbsp;> > >
> &nbsp;&nbsp;> > > Many Thanks
> &nbsp;&nbsp;> > >
> &nbsp;&nbsp;> > > Richard
> &nbsp;> >
> &nbsp;> >
> &nbsp;> >

Thought I’d jump in here as I’m having the exact same problem Richard.
 I know you would rather have someone with answers but perhaps I can
offer some insight.

This error started occuring after we defined a domain security policy,
’access this computer from the network’. This however broke access to
our web server. The domain policy is not addative I believe and it
took away the local member(web server), IUSR account access.
Apparently when you define a domain policy and there is no local
security policy, then you undefine the domain policy, it may still be
enforced.

When you look at the local security policy the edit buttons are greyed
out so there is no way to specify these accounts or groups with the
local policy. I don’t know how to get around this one. I was
thinking that rejoining the domain might work but as this is a web
server/exchange server I have not tried that yet.

If you can find out what account/group to add into your policy for the
krbtgt account it might fix this.

-- 
Posted using the http://www.windowsforumz.com interface, at author's request
Articles individually checked for conformance to usenet standards
Topic URL: http://www.windowsforumz.com/Security-Event-ID-534-ftopict268879.html
Visit Topic URL to contact author (reg. req'd).  Report abuse: http://www.windowsforumz.com/eform.php?p=1092197

---

• Next message: Murali.A: "How to export W2K Effective Policy Setting?"
• Previous message: rodchar: "Re: certificate authority"
• Next in thread: Steven L Umbach: "Re: Re: Security Event ID 534"
• Reply: Steven L Umbach: "Re: Re: Security Event ID 534"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Newsgroups  > microsoft.public.win2000.security  > 2005-03