Audit Failures

Archived from groups: microsoft.public.win2000.security (More info?)

This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.

Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.

Windows Server 2003 Events and Errors is our web site for more information.
http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033

For more information about that event see:
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0

Michiko Short [MSFT}
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
> Can anyone tell me if they have seen this type of audit and what does it
> mean? We just started auditing, but I am not sure what this is telling
> me.
> This case seems very ambiguious. The other day there were the same
> entries
> but they had user accounts that I know are fine. One of the accounts is
> mine
> and two others that access our server via a VPN connection.
>
> Thanks,
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 3/27/2005
> Time: 9:09:35 PM
> User: NT AUTHORITY\SYSTEM
> Computer: [SERVER_X]
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: [SERVER_X]
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: [SERVER_X]
>

Archived from groups: microsoft.public.win2000.security (More info?)

There are many attempts, even from my account. I think is may have something
to do with our VPN. This is happening with users who are working in
workgroups in a remote office and who are tunneling into my network via a VPN
connection.

Does this spark any ideas?

Thanks,
Erin

"Michiko Short [MSFT]" wrote:

> This event occurs whenever the username & password combination fails.
> Generally, you will see these in an organization when someone makes a
> mistake typing their password. (though occasionally people misspell their
> account). Excessive numbers should be investigated.
>
> Since I don't know the details of your environment, it may be caused by
> other events. Logon type 3 is accessed system via network. There are also
> several KBs that may apply to your situation.
>
> Windows Server 2003 Events and Errors is our web site for more information.
> http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
>
> For more information about that event see:
> http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
>
> Michiko Short [MSFT}
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Please do not send e-mail directly to this alias. This alias is for
> newsgroup purposes only.
>
> "EMcGrath@HCA_NOSPAM_Vendor.com"
> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
> > Can anyone tell me if they have seen this type of audit and what does it
> > mean? We just started auditing, but I am not sure what this is telling
> > me.
> > This case seems very ambiguious. The other day there were the same
> > entries
> > but they had user accounts that I know are fine. One of the accounts is
> > mine
> > and two others that access our server via a VPN connection.
> >
> > Thanks,
> >
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 3/27/2005
> > Time: 9:09:35 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: [SERVER_X]
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Administrator
> > Domain: [SERVER_X]
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: [SERVER_X]
> >
>
>
>

Archived from groups: microsoft.public.win2000.security (More info?)

Sorry, not really a VPN expert.

However, a couple of questions. You do recognize the Workstation Names
correct? They should be systems on your remote office. So each of these
events should have a valid combination of Username, Workstation Name, and
Domain. It sounds like even though you have several logon failure events,
you do have successful logons as well.

Your VPN server and DCs are current on patches and service packs?

As far as VPN goes, I would try to repost with a new subject asking for
assistance with VPN configuration. That should attract the attention of the
VPN experts. Good luck.

--
Michiko Short [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
> There are many attempts, even from my account. I think is may have
> something
> to do with our VPN. This is happening with users who are working in
> workgroups in a remote office and who are tunneling into my network via a
> VPN
> connection.
>
> Does this spark any ideas?
>
> Thanks,
> Erin
>
> "Michiko Short [MSFT]" wrote:
>
>> This event occurs whenever the username & password combination fails.
>> Generally, you will see these in an organization when someone makes a
>> mistake typing their password. (though occasionally people misspell their
>> account). Excessive numbers should be investigated.
>>
>> Since I don't know the details of your environment, it may be caused by
>> other events. Logon type 3 is accessed system via network. There are also
>> several KBs that may apply to your situation.
>>
>> Windows Server 2003 Events and Errors is our web site for more
>> information.
>> http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
>>
>> For more information about that event see:
>> http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
>>
>> Michiko Short [MSFT}
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Please do not send e-mail directly to this alias. This alias is for
>> newsgroup purposes only.
>>
>> "EMcGrath@HCA_NOSPAM_Vendor.com"
>> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
>> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
>> > Can anyone tell me if they have seen this type of audit and what does
>> > it
>> > mean? We just started auditing, but I am not sure what this is telling
>> > me.
>> > This case seems very ambiguious. The other day there were the same
>> > entries
>> > but they had user accounts that I know are fine. One of the accounts
>> > is
>> > mine
>> > and two others that access our server via a VPN connection.
>> >
>> > Thanks,
>> >
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 3/27/2005
>> > Time: 9:09:35 PM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: [SERVER_X]
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Administrator
>> > Domain: [SERVER_X]
>> > Logon Type: 3
>> > Logon Process: NtLmSsp
>> > Authentication Package: NTLM
>> > Workstation Name: [SERVER_X]
>> >
>>
>>
>>

Archived from groups: microsoft.public.win2000.security (More info?)

Are any users reporting being unable to access the network from the VPN??
You may also find logon events for remote access users in the system log in
the remote access server. --- Steve


"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
> There are many attempts, even from my account. I think is may have
> something
> to do with our VPN. This is happening with users who are working in
> workgroups in a remote office and who are tunneling into my network via a
> VPN
> connection.
>
> Does this spark any ideas?
>
> Thanks,
> Erin
>
> "Michiko Short [MSFT]" wrote:
>
>> This event occurs whenever the username & password combination fails.
>> Generally, you will see these in an organization when someone makes a
>> mistake typing their password. (though occasionally people misspell their
>> account). Excessive numbers should be investigated.
>>
>> Since I don't know the details of your environment, it may be caused by
>> other events. Logon type 3 is accessed system via network. There are also
>> several KBs that may apply to your situation.
>>
>> Windows Server 2003 Events and Errors is our web site for more
>> information.
>> http://www.microsoft.com/technet/support/ee/search.aspx?DisplayName=Windows%20Server%202003&ProdName=Windows%20Operating%20System&MajorMinor=5.2&LCID=1033
>>
>> For more information about that event see:
>> http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=529&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
>>
>> Michiko Short [MSFT}
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Please do not send e-mail directly to this alias. This alias is for
>> newsgroup purposes only.
>>
>> "EMcGrath@HCA_NOSPAM_Vendor.com"
>> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
>> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
>> > Can anyone tell me if they have seen this type of audit and what does
>> > it
>> > mean? We just started auditing, but I am not sure what this is telling
>> > me.
>> > This case seems very ambiguious. The other day there were the same
>> > entries
>> > but they had user accounts that I know are fine. One of the accounts
>> > is
>> > mine
>> > and two others that access our server via a VPN connection.
>> >
>> > Thanks,
>> >
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 3/27/2005
>> > Time: 9:09:35 PM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: [SERVER_X]
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Administrator
>> > Domain: [SERVER_X]
>> > Logon Type: 3
>> > Logon Process: NtLmSsp
>> > Authentication Package: NTLM
>> > Workstation Name: [SERVER_X]
>> >
>>
>>
>>