Re: Audit Failures

EMcGrath_at_HCA_NOSPAM_Vendor.com
Date: 03/29/05 

Date: Mon, 28 Mar 2005 16:25:11 -0800

There are many attempts, even from my account. I think is may have something
to do with our VPN. This is happening with users who are working in
workgroups in a remote office and who are tunneling into my network via a VPN
connection.

Does this spark any ideas?

Thanks,
Erin

"Michiko Short [MSFT]" wrote:

> This event occurs whenever the username & password combination fails.
> Generally, you will see these in an organization when someone makes a
> mistake typing their password. (though occasionally people misspell their
> account). Excessive numbers should be investigated.
>
> Since I don't know the details of your environment, it may be caused by
> other events. Logon type 3 is accessed system via network. There are also
> several KBs that may apply to your situation.
>
> Windows Server 2003 Events and Errors is our web site for more information.
> http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
>
> For more information about that event see:
> http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
>
> Michiko Short [MSFT}
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Please do not send e-mail directly to this alias. This alias is for
> newsgroup purposes only.
>
> "EMcGrath@HCA_NOSPAM_Vendor.com"
> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
> > Can anyone tell me if they have seen this type of audit and what does it
> > mean? We just started auditing, but I am not sure what this is telling
> > me.
> > This case seems very ambiguious. The other day there were the same
> > entries
> > but they had user accounts that I know are fine. One of the accounts is
> > mine
> > and two others that access our server via a VPN connection.
> >
> > Thanks,
> >
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 3/27/2005
> > Time: 9:09:35 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: [SERVER_X]
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Administrator
> > Domain: [SERVER_X]
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: [SERVER_X]
> >
>
>
>

Relevant Pages

  • Re: Need help with SMTP relay problem
    ... Please do not send email directly to this alias. ... > us regardless of what account is being used. ... >> clean-up from the open relay: ... >> Account Passwords and Policies in Windows Server 2003 ...
    (microsoft.public.exchange2000.protocols)
  • Re: Outlook security
    ... User's local account on laptop expired, ... When they connect to the VPN, ... The instructions are relative to a Windows 2000, Outlook XP, Cisco ...
    (microsoft.public.outlook.general)
  • Re: Requiring specific computer to log on
    ... Consider that if you set all your remote machines to use a single account, ... each VPN computer you have increased your "surface area". ... Double click the logfile. ...
    (microsoft.public.windows.server.sbs)
  • Re: Server 2003 IAS and VPN problem (not ISA server)
    ... Jim Harrison ... Yes, this user is in VPN windows group, which specified in IAS configuration. ... In acount property of this account the radiobutton "Control Access through ... "Reason = Authentication was not successful because an unknown user name or incorrect password was used." ...
    (microsoft.public.isa.vpn)
  • Re: RWW Security was compromised.
    ... Though RWW has this security flaw I prefer its use to VPN. ... I've opened a discussion with the other SBS MVPs where I admit to not ... We all agree that changing the admin account and enforcing password change ...
    (microsoft.public.windows.server.sbs)