Audit Failures
Last response: in Windows 2000/NT
Anonymous
March 28, 2005 8:17:01 AM
Archived from groups: microsoft.public.win2000.security (More info?)
Can anyone tell me if they have seen this type of audit and what does it
mean? We just started auditing, but I am not sure what this is telling me.
This case seems very ambiguious. The other day there were the same entries
but they had user accounts that I know are fine. One of the accounts is mine
and two others that access our server via a VPN connection.
Thanks,
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/27/2005
Time: 9:09:35 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVER_X]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [SERVER_X]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: [SERVER_X]
Can anyone tell me if they have seen this type of audit and what does it
mean? We just started auditing, but I am not sure what this is telling me.
This case seems very ambiguious. The other day there were the same entries
but they had user accounts that I know are fine. One of the accounts is mine
and two others that access our server via a VPN connection.
Thanks,
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/27/2005
Time: 9:09:35 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVER_X]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [SERVER_X]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: [SERVER_X]
More about : audit failures
Anonymous
March 28, 2005 8:17:32 PM
Archived from groups: microsoft.public.win2000.security (More info?)
This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.
Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.
Windows Server 2003 Events and Errors is our web site for more information.
http://www.microsoft.com/technet/support/ee/search.aspx...
For more information about that event see:
http://www.microsoft.com/technet/support/ee/result.aspx...
Michiko Short [MSFT}
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
> Can anyone tell me if they have seen this type of audit and what does it
> mean? We just started auditing, but I am not sure what this is telling
> me.
> This case seems very ambiguious. The other day there were the same
> entries
> but they had user accounts that I know are fine. One of the accounts is
> mine
> and two others that access our server via a VPN connection.
>
> Thanks,
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 3/27/2005
> Time: 9:09:35 PM
> User: NT AUTHORITY\SYSTEM
> Computer: [SERVER_X]
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: [SERVER_X]
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: [SERVER_X]
>
This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.
Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.
Windows Server 2003 Events and Errors is our web site for more information.
http://www.microsoft.com/technet/support/ee/search.aspx...
For more information about that event see:
http://www.microsoft.com/technet/support/ee/result.aspx...
Michiko Short [MSFT}
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
> Can anyone tell me if they have seen this type of audit and what does it
> mean? We just started auditing, but I am not sure what this is telling
> me.
> This case seems very ambiguious. The other day there were the same
> entries
> but they had user accounts that I know are fine. One of the accounts is
> mine
> and two others that access our server via a VPN connection.
>
> Thanks,
>
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 3/27/2005
> Time: 9:09:35 PM
> User: NT AUTHORITY\SYSTEM
> Computer: [SERVER_X]
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Administrator
> Domain: [SERVER_X]
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: [SERVER_X]
>
Anonymous
March 28, 2005 8:25:11 PM
Archived from groups: microsoft.public.win2000.security (More info?)
There are many attempts, even from my account. I think is may have something
to do with our VPN. This is happening with users who are working in
workgroups in a remote office and who are tunneling into my network via a VPN
connection.
Does this spark any ideas?
Thanks,
Erin
"Michiko Short [MSFT]" wrote:
> This event occurs whenever the username & password combination fails.
> Generally, you will see these in an organization when someone makes a
> mistake typing their password. (though occasionally people misspell their
> account). Excessive numbers should be investigated.
>
> Since I don't know the details of your environment, it may be caused by
> other events. Logon type 3 is accessed system via network. There are also
> several KBs that may apply to your situation.
>
> Windows Server 2003 Events and Errors is our web site for more information.
> http://www.microsoft.com/technet/support/ee/search.aspx...
>
> For more information about that event see:
> http://www.microsoft.com/technet/support/ee/result.aspx...
>
> Michiko Short [MSFT}
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Please do not send e-mail directly to this alias. This alias is for
> newsgroup purposes only.
>
> "EMcGrath@HCA_NOSPAM_Vendor.com"
> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
> > Can anyone tell me if they have seen this type of audit and what does it
> > mean? We just started auditing, but I am not sure what this is telling
> > me.
> > This case seems very ambiguious. The other day there were the same
> > entries
> > but they had user accounts that I know are fine. One of the accounts is
> > mine
> > and two others that access our server via a VPN connection.
> >
> > Thanks,
> >
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 3/27/2005
> > Time: 9:09:35 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: [SERVER_X]
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Administrator
> > Domain: [SERVER_X]
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: [SERVER_X]
> >
>
>
>
There are many attempts, even from my account. I think is may have something
to do with our VPN. This is happening with users who are working in
workgroups in a remote office and who are tunneling into my network via a VPN
connection.
Does this spark any ideas?
Thanks,
Erin
"Michiko Short [MSFT]" wrote:
> This event occurs whenever the username & password combination fails.
> Generally, you will see these in an organization when someone makes a
> mistake typing their password. (though occasionally people misspell their
> account). Excessive numbers should be investigated.
>
> Since I don't know the details of your environment, it may be caused by
> other events. Logon type 3 is accessed system via network. There are also
> several KBs that may apply to your situation.
>
> Windows Server 2003 Events and Errors is our web site for more information.
> http://www.microsoft.com/technet/support/ee/search.aspx...
>
> For more information about that event see:
> http://www.microsoft.com/technet/support/ee/result.aspx...
>
> Michiko Short [MSFT}
> --
> This posting is provided "AS IS" with no warranties, and confers no rights.
> Please do not send e-mail directly to this alias. This alias is for
> newsgroup purposes only.
>
> "EMcGrath@HCA_NOSPAM_Vendor.com"
> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
> > Can anyone tell me if they have seen this type of audit and what does it
> > mean? We just started auditing, but I am not sure what this is telling
> > me.
> > This case seems very ambiguious. The other day there were the same
> > entries
> > but they had user accounts that I know are fine. One of the accounts is
> > mine
> > and two others that access our server via a VPN connection.
> >
> > Thanks,
> >
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 3/27/2005
> > Time: 9:09:35 PM
> > User: NT AUTHORITY\SYSTEM
> > Computer: [SERVER_X]
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Administrator
> > Domain: [SERVER_X]
> > Logon Type: 3
> > Logon Process: NtLmSsp
> > Authentication Package: NTLM
> > Workstation Name: [SERVER_X]
> >
>
>
>
Related resources
- Audit failures from explorer.exe - Forum
- Security Log Multiple Success/Failure Audit records - Forum
- Ipsec 615 - failure audit??? - Forum
- Logon/Logoff Failure Audit - Event 537 in Windows Server 2.. - Forum
- Failure Audit - 560 - Forum
Anonymous
March 31, 2005 1:29:35 PM
Archived from groups: microsoft.public.win2000.security (More info?)
Sorry, not really a VPN expert.
However, a couple of questions. You do recognize the Workstation Names
correct? They should be systems on your remote office. So each of these
events should have a valid combination of Username, Workstation Name, and
Domain. It sounds like even though you have several logon failure events,
you do have successful logons as well.
Your VPN server and DCs are current on patches and service packs?
As far as VPN goes, I would try to repost with a new subject asking for
assistance with VPN configuration. That should attract the attention of the
VPN experts. Good luck.
--
Michiko Short [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
> There are many attempts, even from my account. I think is may have
> something
> to do with our VPN. This is happening with users who are working in
> workgroups in a remote office and who are tunneling into my network via a
> VPN
> connection.
>
> Does this spark any ideas?
>
> Thanks,
> Erin
>
> "Michiko Short [MSFT]" wrote:
>
>> This event occurs whenever the username & password combination fails.
>> Generally, you will see these in an organization when someone makes a
>> mistake typing their password. (though occasionally people misspell their
>> account). Excessive numbers should be investigated.
>>
>> Since I don't know the details of your environment, it may be caused by
>> other events. Logon type 3 is accessed system via network. There are also
>> several KBs that may apply to your situation.
>>
>> Windows Server 2003 Events and Errors is our web site for more
>> information.
>> http://www.microsoft.com/technet/support/ee/search.aspx...
>>
>> For more information about that event see:
>> http://www.microsoft.com/technet/support/ee/result.aspx...
>>
>> Michiko Short [MSFT}
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Please do not send e-mail directly to this alias. This alias is for
>> newsgroup purposes only.
>>
>> "EMcGrath@HCA_NOSPAM_Vendor.com"
>> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
>> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
>> > Can anyone tell me if they have seen this type of audit and what does
>> > it
>> > mean? We just started auditing, but I am not sure what this is telling
>> > me.
>> > This case seems very ambiguious. The other day there were the same
>> > entries
>> > but they had user accounts that I know are fine. One of the accounts
>> > is
>> > mine
>> > and two others that access our server via a VPN connection.
>> >
>> > Thanks,
>> >
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 3/27/2005
>> > Time: 9:09:35 PM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: [SERVER_X]
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Administrator
>> > Domain: [SERVER_X]
>> > Logon Type: 3
>> > Logon Process: NtLmSsp
>> > Authentication Package: NTLM
>> > Workstation Name: [SERVER_X]
>> >
>>
>>
>>
Sorry, not really a VPN expert.
However, a couple of questions. You do recognize the Workstation Names
correct? They should be systems on your remote office. So each of these
events should have a valid combination of Username, Workstation Name, and
Domain. It sounds like even though you have several logon failure events,
you do have successful logons as well.
Your VPN server and DCs are current on patches and service packs?
As far as VPN goes, I would try to repost with a new subject asking for
assistance with VPN configuration. That should attract the attention of the
VPN experts. Good luck.
--
Michiko Short [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.
"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
> There are many attempts, even from my account. I think is may have
> something
> to do with our VPN. This is happening with users who are working in
> workgroups in a remote office and who are tunneling into my network via a
> VPN
> connection.
>
> Does this spark any ideas?
>
> Thanks,
> Erin
>
> "Michiko Short [MSFT]" wrote:
>
>> This event occurs whenever the username & password combination fails.
>> Generally, you will see these in an organization when someone makes a
>> mistake typing their password. (though occasionally people misspell their
>> account). Excessive numbers should be investigated.
>>
>> Since I don't know the details of your environment, it may be caused by
>> other events. Logon type 3 is accessed system via network. There are also
>> several KBs that may apply to your situation.
>>
>> Windows Server 2003 Events and Errors is our web site for more
>> information.
>> http://www.microsoft.com/technet/support/ee/search.aspx...
>>
>> For more information about that event see:
>> http://www.microsoft.com/technet/support/ee/result.aspx...
>>
>> Michiko Short [MSFT}
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Please do not send e-mail directly to this alias. This alias is for
>> newsgroup purposes only.
>>
>> "EMcGrath@HCA_NOSPAM_Vendor.com"
>> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
>> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
>> > Can anyone tell me if they have seen this type of audit and what does
>> > it
>> > mean? We just started auditing, but I am not sure what this is telling
>> > me.
>> > This case seems very ambiguious. The other day there were the same
>> > entries
>> > but they had user accounts that I know are fine. One of the accounts
>> > is
>> > mine
>> > and two others that access our server via a VPN connection.
>> >
>> > Thanks,
>> >
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 3/27/2005
>> > Time: 9:09:35 PM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: [SERVER_X]
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Administrator
>> > Domain: [SERVER_X]
>> > Logon Type: 3
>> > Logon Process: NtLmSsp
>> > Authentication Package: NTLM
>> > Workstation Name: [SERVER_X]
>> >
>>
>>
>>
Anonymous
April 1, 2005 1:52:48 AM
Archived from groups: microsoft.public.win2000.security (More info?)
Are any users reporting being unable to access the network from the VPN??
You may also find logon events for remote access users in the system log in
the remote access server. --- Steve
"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
> There are many attempts, even from my account. I think is may have
> something
> to do with our VPN. This is happening with users who are working in
> workgroups in a remote office and who are tunneling into my network via a
> VPN
> connection.
>
> Does this spark any ideas?
>
> Thanks,
> Erin
>
> "Michiko Short [MSFT]" wrote:
>
>> This event occurs whenever the username & password combination fails.
>> Generally, you will see these in an organization when someone makes a
>> mistake typing their password. (though occasionally people misspell their
>> account). Excessive numbers should be investigated.
>>
>> Since I don't know the details of your environment, it may be caused by
>> other events. Logon type 3 is accessed system via network. There are also
>> several KBs that may apply to your situation.
>>
>> Windows Server 2003 Events and Errors is our web site for more
>> information.
>> http://www.microsoft.com/technet/support/ee/search.aspx...
>>
>> For more information about that event see:
>> http://www.microsoft.com/technet/support/ee/result.aspx...
>>
>> Michiko Short [MSFT}
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Please do not send e-mail directly to this alias. This alias is for
>> newsgroup purposes only.
>>
>> "EMcGrath@HCA_NOSPAM_Vendor.com"
>> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
>> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
>> > Can anyone tell me if they have seen this type of audit and what does
>> > it
>> > mean? We just started auditing, but I am not sure what this is telling
>> > me.
>> > This case seems very ambiguious. The other day there were the same
>> > entries
>> > but they had user accounts that I know are fine. One of the accounts
>> > is
>> > mine
>> > and two others that access our server via a VPN connection.
>> >
>> > Thanks,
>> >
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 3/27/2005
>> > Time: 9:09:35 PM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: [SERVER_X]
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Administrator
>> > Domain: [SERVER_X]
>> > Logon Type: 3
>> > Logon Process: NtLmSsp
>> > Authentication Package: NTLM
>> > Workstation Name: [SERVER_X]
>> >
>>
>>
>>
Are any users reporting being unable to access the network from the VPN??
You may also find logon events for remote access users in the system log in
the remote access server. --- Steve
"EMcGrath@HCA_NOSPAM_Vendor.com"
<EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
news:104267FB-A6D5-47CB-BC39-AEFA30E64224@microsoft.com...
> There are many attempts, even from my account. I think is may have
> something
> to do with our VPN. This is happening with users who are working in
> workgroups in a remote office and who are tunneling into my network via a
> VPN
> connection.
>
> Does this spark any ideas?
>
> Thanks,
> Erin
>
> "Michiko Short [MSFT]" wrote:
>
>> This event occurs whenever the username & password combination fails.
>> Generally, you will see these in an organization when someone makes a
>> mistake typing their password. (though occasionally people misspell their
>> account). Excessive numbers should be investigated.
>>
>> Since I don't know the details of your environment, it may be caused by
>> other events. Logon type 3 is accessed system via network. There are also
>> several KBs that may apply to your situation.
>>
>> Windows Server 2003 Events and Errors is our web site for more
>> information.
>> http://www.microsoft.com/technet/support/ee/search.aspx...
>>
>> For more information about that event see:
>> http://www.microsoft.com/technet/support/ee/result.aspx...
>>
>> Michiko Short [MSFT}
>> --
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>> Please do not send e-mail directly to this alias. This alias is for
>> newsgroup purposes only.
>>
>> "EMcGrath@HCA_NOSPAM_Vendor.com"
>> <EMcGrathHCANOSPAMVendorcom@discussions.microsoft.com> wrote in message
>> news:B7A0456C-DDBE-47CB-93F1-687B67CFA814@microsoft.com...
>> > Can anyone tell me if they have seen this type of audit and what does
>> > it
>> > mean? We just started auditing, but I am not sure what this is telling
>> > me.
>> > This case seems very ambiguious. The other day there were the same
>> > entries
>> > but they had user accounts that I know are fine. One of the accounts
>> > is
>> > mine
>> > and two others that access our server via a VPN connection.
>> >
>> > Thanks,
>> >
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 3/27/2005
>> > Time: 9:09:35 PM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: [SERVER_X]
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Administrator
>> > Domain: [SERVER_X]
>> > Logon Type: 3
>> > Logon Process: NtLmSsp
>> > Authentication Package: NTLM
>> > Workstation Name: [SERVER_X]
>> >
>>
>>
>>
Related resources
- Event viewer and security failure audit Forum
- Failure Audit in secruity log Event Viewer Forum
- failure audit...events 529 and 680 Forum
- IPSec Failure Audit Forum
- Audit Failure Codes Forum
- Audit file for failure Forum
- Failure Audit Forum
- Failure Audit Forum
- logon failure audit Forum
- Help with Failure Audit in Event Viewer needed! Forum
- How to audit failure event in security log Forum
- Security Event Log Failure Audit 681 Forum
- audit failure Forum
- Failure Audits 529 & 680: How to track the IP address? Forum
- Failure Audits in the secruity log Event Viewer Forum
- More resources
!
