Security Event ID 534

Archived from groups: microsoft.public.win2000.security (More info?)

Hello,

I am seeing alot of these Security Event Log errors on my Windows 2000
Server.

Type: Audit Failure
Source: Security
Event ID: 534
Event Time: <Date and Time>
User: NT AUTHORITY\SYSTEM
Computer: <computername>
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -

The error seem to be saying that the SYSTEM account is trying to logon from
the Network (logon type 3) and is failing. However I dont understand why the
local System account would be accessing the server from the network! Doesnt
make sense to me.

Any light that could be shed on why Im getting these errors, would be a huge
help.

Many Thanks

Richard
5 answers Last reply
More about security event
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    I am not sure exactly what is going on but the reason would be a lack of
    privilege for the user right for access this computer from the network. You can
    open Local Security Policy and go to security settings/local policies/user
    rights and check for that user right and for deny access to this computer from
    the network that will override any allow settings to make sure it is correct.
    Normally at least users and administrators have the user right to access this
    computer from the network. Check the application and system logs to see if there
    any other possible events correlating to these errors by time. ---- Steve


    "Richard Smith" <RichardSmith@discussions.microsoft.com> wrote in message
    news:9DC611AD-F31E-4F9B-9E71-DFBBE7F000D7@microsoft.com...
    > Hello,
    >
    > I am seeing alot of these Security Event Log errors on my Windows 2000
    > Server.
    >
    > Type: Audit Failure
    > Source: Security
    > Event ID: 534
    > Event Time: <Date and Time>
    > User: NT AUTHORITY\SYSTEM
    > Computer: <computername>
    > Description:
    > Logon Failure:
    > Reason: The user has not been granted the requested
    > logon type at this machine
    > User Name:
    > Domain:
    > Logon Type: 3
    > Logon Process: Kerberos
    > Authentication Package: Kerberos
    > Workstation Name: -
    >
    > The error seem to be saying that the SYSTEM account is trying to logon from
    > the Network (logon type 3) and is failing. However I dont understand why the
    > local System account would be accessing the server from the network! Doesnt
    > make sense to me.
    >
    > Any light that could be shed on why Im getting these errors, would be a huge
    > help.
    >
    > Many Thanks
    >
    > Richard
  2. Archived from groups: microsoft.public.win2000.security (More info?)

    Steven, thanks for the reply...

    I have checked the "deny access from the network" local policy and there are
    nothing specified. Also there are no corrosponding events in the app and
    system logs.

    Im still stumped...


    "Steven Umbach" wrote:

    > I am not sure exactly what is going on but the reason would be a lack of
    > privilege for the user right for access this computer from the network. You can
    > open Local Security Policy and go to security settings/local policies/user
    > rights and check for that user right and for deny access to this computer from
    > the network that will override any allow settings to make sure it is correct.
    > Normally at least users and administrators have the user right to access this
    > computer from the network. Check the application and system logs to see if there
    > any other possible events correlating to these errors by time. ---- Steve
    >
    >
    > "Richard Smith" <RichardSmith@discussions.microsoft.com> wrote in message
    > news:9DC611AD-F31E-4F9B-9E71-DFBBE7F000D7@microsoft.com...
    > > Hello,
    > >
    > > I am seeing alot of these Security Event Log errors on my Windows 2000
    > > Server.
    > >
    > > Type: Audit Failure
    > > Source: Security
    > > Event ID: 534
    > > Event Time: <Date and Time>
    > > User: NT AUTHORITY\SYSTEM
    > > Computer: <computername>
    > > Description:
    > > Logon Failure:
    > > Reason: The user has not been granted the requested
    > > logon type at this machine
    > > User Name:
    > > Domain:
    > > Logon Type: 3
    > > Logon Process: Kerberos
    > > Authentication Package: Kerberos
    > > Workstation Name: -
    > >
    > > The error seem to be saying that the SYSTEM account is trying to logon from
    > > the Network (logon type 3) and is failing. However I dont understand why the
    > > local System account would be accessing the server from the network! Doesnt
    > > make sense to me.
    > >
    > > Any light that could be shed on why Im getting these errors, would be a huge
    > > help.
    > >
    > > Many Thanks
    > >
    > > Richard
    >
    >
    >
  3. Archived from groups: microsoft.public.win2000.security (More info?)

    Hmm. Is anybody being denied access to the computer or is anything else failing
    or not working right?? How often are these events showing up?? Is this a domain
    controller? Try enabling auditing of privilege use and object access for failure
    only to see if anything else is being recorded for those audit categories at the
    same time that may provide a clue. There was a problem with Event 534 on XP Pro
    computers, but have not heard about the same problem for Windows 2000. --- Steve

    http://support.microsoft.com/?kbid=841399

    "Richard Smith" <RichardSmith@discussions.microsoft.com> wrote in message
    news:950582DC-8507-46B1-8328-E2B6D541D98D@microsoft.com...
    > Steven, thanks for the reply...
    >
    > I have checked the "deny access from the network" local policy and there are
    > nothing specified. Also there are no corrosponding events in the app and
    > system logs.
    >
    > Im still stumped...
    >
    >
    >
    > "Steven Umbach" wrote:
    >
    > > I am not sure exactly what is going on but the reason would be a lack of
    > > privilege for the user right for access this computer from the network. You
    can
    > > open Local Security Policy and go to security settings/local policies/user
    > > rights and check for that user right and for deny access to this computer
    from
    > > the network that will override any allow settings to make sure it is
    correct.
    > > Normally at least users and administrators have the user right to access
    this
    > > computer from the network. Check the application and system logs to see if
    there
    > > any other possible events correlating to these errors by time. ---- Steve
    > >
    > >
    > > "Richard Smith" <RichardSmith@discussions.microsoft.com> wrote in message
    > > news:9DC611AD-F31E-4F9B-9E71-DFBBE7F000D7@microsoft.com...
    > > > Hello,
    > > >
    > > > I am seeing alot of these Security Event Log errors on my Windows 2000
    > > > Server.
    > > >
    > > > Type: Audit Failure
    > > > Source: Security
    > > > Event ID: 534
    > > > Event Time: <Date and Time>
    > > > User: NT AUTHORITY\SYSTEM
    > > > Computer: <computername>
    > > > Description:
    > > > Logon Failure:
    > > > Reason: The user has not been granted the requested
    > > > logon type at this machine
    > > > User Name:
    > > > Domain:
    > > > Logon Type: 3
    > > > Logon Process: Kerberos
    > > > Authentication Package: Kerberos
    > > > Workstation Name: -
    > > >
    > > > The error seem to be saying that the SYSTEM account is trying to logon
    from
    > > > the Network (logon type 3) and is failing. However I dont understand why
    the
    > > > local System account would be accessing the server from the network!
    Doesnt
    > > > make sense to me.
    > > >
    > > > Any light that could be shed on why Im getting these errors, would be a
    huge
    > > > help.
    > > >
    > > > Many Thanks
    > > >
    > > > Richard
    > >
    > >
    > >
  4. Archived from groups: microsoft.public.win2000.security (More info?)

    "Steven Umbach" wrote:
    > Hmm. Is anybody being denied access to the computer or is
    > anything else failing
    > or not working right?? How often are these events showing up??
    > Is this a domain
    > controller? Try enabling auditing of privilege use and object
    > access for failure
    > only to see if anything else is being recorded for those audit
    > categories at the
    > same time that may provide a clue. There was a problem with
    > Event 534 on XP Pro
    > computers, but have not heard about the same problem for
    > Windows 2000. --- Steve
    >
    > http://support.microsoft.com/?kbid=841399
    >
    > "Richard Smith" <RichardSmith@discussions.microsoft.com> wrote
    > in message
    > news:950582DC-8507-46B1-8328-E2B6D541D98D@microsoft.com...
    > > Steven, thanks for the reply...
    > >
    > > I have checked the "deny access from the network" local
    > policy and there are
    > > nothing specified. Also there are no corrosponding events in
    > the app and
    > > system logs.
    > >
    > > Im still stumped...
    > >
    > >
    > >
    > > "Steven Umbach" wrote:
    > >
    >  > > I am not sure exactly what is going on but the
    > reason would be a lack of
    >  > > privilege for the user right for access this
    > computer from the network. You
    > can
    >  > > open Local Security Policy and go to security
    > settings/local policies/user
    >  > > rights and check for that user right and for deny
    > access to this computer
    > from
    >  > > the network that will override any allow settings to
    > make sure it is
    > correct.
    >  > > Normally at least users and administrators have the
    > user right to access
    > this
    >  > > computer from the network. Check the application and
    > system logs to see if
    > there
    >  > > any other possible events correlating to these
    > errors by time. ---- Steve
    >  > >
    >  > >
    >  > > "Richard Smith"
    > <RichardSmith@discussions.microsoft.com> wrote in
    > message
    >  > >
    > news:9DC611AD-F31E-4F9B-9E71-DFBBE7F000D7@microsoft.com...
    >   > > > Hello,
    >   > > >
    >   > > > I am seeing alot of these Security Event Log
    > errors on my Windows 2000
    >   > > > Server.
    >   > > >
    >   > > > Type: Audit Failure
    >   > > > Source: Security
    >   > > > Event ID: 534
    >   > > > Event Time: <Date and Time>
    >   > > > User: NT AUTHORITYSYSTEM
    >   > > > Computer: <computername>
    >   > > > Description:
    >   > > > Logon Failure:
    >   > > > Reason: The user has not been granted the
    > requested
    >   > > > logon type at this machine
    >   > > > User Name:
    >   > > > Domain:
    >   > > > Logon Type: 3
    >   > > > Logon Process: Kerberos
    >   > > > Authentication Package: Kerberos
    >   > > > Workstation Name: -
    >   > > >
    >   > > > The error seem to be saying that the SYSTEM
    > account is trying to logon
    > from
    >   > > > the Network (logon type 3) and is failing.
    > However I dont understand why
    > the
    >   > > > local System account would be accessing the
    > server from the network!
    > Doesnt
    >   > > > make sense to me.
    >   > > >
    >   > > > Any light that could be shed on why Im
    > getting these errors, would be a
    > huge
    >   > > > help.
    >   > > >
    >   > > > Many Thanks
    >   > > >
    >   > > > Richard
    >  > >
    >  > >
    >  > >

    Thought I’d jump in here as I’m having the exact same problem Richard.
    I know you would rather have someone with answers but perhaps I can
    offer some insight.

    This error started occuring after we defined a domain security policy,
    ’access this computer from the network’. This however broke access to
    our web server. The domain policy is not addative I believe and it
    took away the local member(web server), IUSR account access.
    Apparently when you define a domain policy and there is no local
    security policy, then you undefine the domain policy, it may still be
    enforced.

    When you look at the local security policy the edit buttons are greyed
    out so there is no way to specify these accounts or groups with the
    local policy. I don’t know how to get around this one. I was
    thinking that rejoining the domain might work but as this is a web
    server/exchange server I have not tried that yet.

    If you can find out what account/group to add into your policy for the
    krbtgt account it might fix this.

    --
    Posted using the http://www.windowsforumz.com interface, at author's request
    Articles individually checked for conformance to usenet standards
    Topic URL: http://www.windowsforumz.com/Security-Event-ID-534-ftopict268879.html
    Visit Topic URL to contact author (reg. req'd). Report abuse: http://www.windowsforumz.com/eform.php?p=1092197
  5. Archived from groups: microsoft.public.win2000.security (More info?)

    When you "undefine" security options they often maintain the last defined
    setting. Undefined in such case often means "no change". The grayed out
    settings means that security settings are being applied at a higher priority
    level. Group/security policy is applied in this order where the last applied
    setting applies in a normal configuration - local>site>domain>OU>child OU.
    What you could do is create an OU for your server with it's own Group
    Policy, assign the necessary user rights in that Group Policy and then move
    the server account into that OU. The OU could be a child OU to the domain
    container or another OU so that you could maintain all current
    Group/security policy with the exception of what is defined in the child OU
    for your server. Note however if "no override" is configured on the Group
    Policy that is applying the user rights to your server a child OU will not
    work but that is not a usual configuration. The support tool gpresult can
    help in determining what computer configuration policies are being applied
    to your server. --- Steve


    "zmurof" <UseLinkToEmail@WindowsForumz.com> wrote in message
    news:3_1092197_81719a7ba660efe6535f9945ab7691ec@windowsforumz.com...
    > "Steven Umbach" wrote:
    > > Hmm. Is anybody being denied access to the computer or is
    > > anything else failing
    > > or not working right?? How often are these events showing up??
    > > Is this a domain
    > > controller? Try enabling auditing of privilege use and object
    > > access for failure
    > > only to see if anything else is being recorded for those audit
    > > categories at the
    > > same time that may provide a clue. There was a problem with
    > > Event 534 on XP Pro
    > > computers, but have not heard about the same problem for
    > > Windows 2000. --- Steve
    > >
    > > http://support.microsoft.com/?kbid=841399
    > >
    > > "Richard Smith" <RichardSmith@discussions.microsoft.com> wrote
    > > in message
    > > news:950582DC-8507-46B1-8328-E2B6D541D98D@microsoft.com...
    > > > Steven, thanks for the reply...
    > > >
    > > > I have checked the "deny access from the network" local
    > > policy and there are
    > > > nothing specified. Also there are no corrosponding events in
    > > the app and
    > > > system logs.
    > > >
    > > > Im still stumped...
    > > >
    > > >
    > > >
    > > > "Steven Umbach" wrote:
    > > >
    > >  > > I am not sure exactly what is going on but the
    > > reason would be a lack of
    > >  > > privilege for the user right for access this
    > > computer from the network. You
    > > can
    > >  > > open Local Security Policy and go to security
    > > settings/local policies/user
    > >  > > rights and check for that user right and for deny
    > > access to this computer
    > > from
    > >  > > the network that will override any allow settings to
    > > make sure it is
    > > correct.
    > >  > > Normally at least users and administrators have the
    > > user right to access
    > > this
    > >  > > computer from the network. Check the application and
    > > system logs to see if
    > > there
    > >  > > any other possible events correlating to these
    > > errors by time. ---- Steve
    > >  > >
    > >  > >
    > >  > > "Richard Smith"
    > > <RichardSmith@discussions.microsoft.com> wrote in
    > > message
    > >  > >
    > > news:9DC611AD-F31E-4F9B-9E71-DFBBE7F000D7@microsoft.com...
    > >   > > > Hello,
    > >   > > >
    > >   > > > I am seeing alot of these Security Event Log
    > > errors on my Windows 2000
    > >   > > > Server.
    > >   > > >
    > >   > > > Type: Audit Failure
    > >   > > > Source: Security
    > >   > > > Event ID: 534
    > >   > > > Event Time: <Date and Time>
    > >   > > > User: NT AUTHORITYSYSTEM
    > >   > > > Computer: <computername>
    > >   > > > Description:
    > >   > > > Logon Failure:
    > >   > > > Reason: The user has not been granted the
    > > requested
    > >   > > > logon type at this machine
    > >   > > > User Name:
    > >   > > > Domain:
    > >   > > > Logon Type: 3
    > >   > > > Logon Process: Kerberos
    > >   > > > Authentication Package: Kerberos
    > >   > > > Workstation Name: -
    > >   > > >
    > >   > > > The error seem to be saying that the SYSTEM
    > > account is trying to logon
    > > from
    > >   > > > the Network (logon type 3) and is failing.
    > > However I dont understand why
    > > the
    > >   > > > local System account would be accessing the
    > > server from the network!
    > > Doesnt
    > >   > > > make sense to me.
    > >   > > >
    > >   > > > Any light that could be shed on why Im
    > > getting these errors, would be a
    > > huge
    > >   > > > help.
    > >   > > >
    > >   > > > Many Thanks
    > >   > > >
    > >   > > > Richard
    > >  > >
    > >  > >
    > >  > >
    >
    > Thought I'd jump in here as I'm having the exact same problem Richard.
    > I know you would rather have someone with answers but perhaps I can
    > offer some insight.
    >
    > This error started occuring after we defined a domain security policy,
    > 'access this computer from the network'. This however broke access to
    > our web server. The domain policy is not addative I believe and it
    > took away the local member(web server), IUSR account access.
    > Apparently when you define a domain policy and there is no local
    > security policy, then you undefine the domain policy, it may still be
    > enforced.
    >
    > When you look at the local security policy the edit buttons are greyed
    > out so there is no way to specify these accounts or groups with the
    > local policy. I don't know how to get around this one. I was
    > thinking that rejoining the domain might work but as this is a web
    > server/exchange server I have not tried that yet.
    >
    > If you can find out what account/group to add into your policy for the
    > krbtgt account it might fix this.
    >
    > --
    > Posted using the http://www.windowsforumz.com interface, at author's
    > request
    > Articles individually checked for conformance to usenet standards
    > Topic URL:
    > http://www.windowsforumz.com/Security-Event-ID-534-ftopict268879.html
    > Visit Topic URL to contact author (reg. req'd). Report abuse:
    > http://www.windowsforumz.com/eform.php?p=1092197
Ask a new question

Read More

Security Event Id Windows