Re: Domain Security
- From: JPrice <JPrice@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 20 Mar 2006 11:37:20 -0800
Turns out that it is nothing.
After talking to the user, it seems that everytime he would click on
"network neighborhood" it would send this error to workstations. Must be a
bug somewhere in Microsoft. I will look for some kind of fix.
Thanks to those who helped.
"JPrice" wrote:
Thanks Steve,.
I will do what I can to take care of this issue.
Thanks again,
"Steven L Umbach" wrote:
Well according to the Event ID someone is trying to access the computer as
administrator via the network from computer John Doe and failed probably
because they did not know the correct password. So I don't know how you
think "administrator" is a particular individual. If these failed logons are
not persistent and numerous I would not worry too much about it [assuming
you enforce use of strong passwords] and IMHO do not necessarily prove a
whole lot other than maybe someone was curious about accessing another
computer which should not happen with decent security precautions. Sometimes
it is just best to question someone as in "do you have any idea why I am
seeing failed logon attempts to the administrator account on computer x from
your computer" and then the problem may go away as soon as the person knows
that you are being vigilant with the security logs. On the other hand if he
wrongly or incorrectly fires [poor evidence or documentation] someone he
could have a lawsuit on his hands. If the user in question [or a user
impersonating him] however is truly determined in obtaining confidential
data you may have a problem on your hands and the user may be more careful
next time and try other means. So always be vigilant. --- Steve
"JPrice" <JPrice@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4B04E726-91A3-4103-B0FD-4E853F28753F@xxxxxxxxxxxxxxxx
Type = FailureAud Event ID:529
User: NT AUTHORITY\SYSTEM
Username = Administrator
Computer - XXXX
Reason: Unknown user name or bad password
Domain = XXXXXX
Logon Type = 3
Logon Process = NtLmSsp
Authentication Package: Microsoft_Authentication_package_v1_0
Workstion Name: John Doe
*The CEO is in panic because the person that the event viewer is showing
is
"untrusted" or in other words, too good at his job to let go. The
person's
name that is showing up is their web developer also, possibly running IIS
on
his machine.
Thanks for any help. I have to get this guy off of my rear and get on
with
other things that need done.
"Habib" wrote:
"JPrice" wrote:
I currently have a domain with 30 clients. Recently one of the users
somehow
ran across their Administrative tools in the control panel on their
Windows
XP Professional machines. They happen to look in the event viewer (not
a
place a user should be in this case). He happen to see a couple
Failure
audits, mainly the same time he goes to lunch. It's event id 529. He
then
proceeded to tell all the people except for the person's name that is
in the
event. As it turns out, only 3 workstations have this issue. Human
Resources, Payroll, and the owner of the company. Now it's become a
question
of "is he trying to hack us?". According to most Microsoft answers,
it's
nothing to be worried about, but now they want a better answer. I do
not
have an answer for this. Can someone help me out?
- Follow-Ups:
- Re: Domain Security
- From: JosephWShawII
- Re: Domain Security
- From: Steven L Umbach
- Re: Domain Security
- References:
- Re: Domain Security
- From: Steven L Umbach
- Re: Domain Security
- From: JPrice
- Re: Domain Security
- Prev by Date: Re: Update error 0X8DDD003
- Next by Date: Re: No Admin Rights
- Previous by thread: Re: Domain Security
- Next by thread: Re: Domain Security
- Index(es):
Relevant Pages
|
