Re: Audit Failures
From: Michiko Short [MSFT] (michikos_at_online.microsoft.com)
Date: 03/29/05
- Next message: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Re: Audit Failures"
- Previous message: Herb Martin: "Re: Patch listing for MS products"
- In reply to: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Audit Failures"
- Next in thread: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Re: Audit Failures"
- Reply: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Re: Audit Failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 28 Mar 2005 16:17:32 -0800
This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.
Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.
Windows Server 2003 Events and Errors is our web site for more information.
http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
For more information about that event see:
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
Michiko Short [MSFT}
-- This posting is provided "AS IS" with no warranties, and confers no rights. Please do not send e-mail directly to this alias. This alias is for newsgroup purposes only. "EMcGrath@HCA_NOSPAM_Vendor.com" <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com... > Can anyone tell me if they have seen this type of audit and what does it > mean? We just started auditing, but I am not sure what this is telling > me. > This case seems very ambiguious. The other day there were the same > entries > but they had user accounts that I know are fine. One of the accounts is > mine > and two others that access our server via a VPN connection. > > Thanks, > > > Event Type: Failure Audit > Event Source: Security > Event Category: Logon/Logoff > Event ID: 529 > Date: 3/27/2005 > Time: 9:09:35 PM > User: NT AUTHORITY\SYSTEM > Computer: [SERVER_X] > Description: > Logon Failure: > Reason: Unknown user name or bad password > User Name: Administrator > Domain: [SERVER_X] > Logon Type: 3 > Logon Process: NtLmSsp > Authentication Package: NTLM > Workstation Name: [SERVER_X] >
- Next message: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Re: Audit Failures"
- Previous message: Herb Martin: "Re: Patch listing for MS products"
- In reply to: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Audit Failures"
- Next in thread: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Re: Audit Failures"
- Reply: EMcGrath_at_HCA_NOSPAM_Vendor.com: "Re: Audit Failures"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
