event id 529 logon type 3 - lots of them

Archived from groups: microsoft.public.win2000.security (More info?)

I saw a ton of these, all early this morning, during a short period of time,
before most users are even in the office.


is there any way I can find out where this is coming from? what
workstation or if it is over the internet?


Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date: 4/26/2005

Time: 6:44:06 AM

User: NT AUTHORITY\SYSTEM

Computer: myserver

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name: connect

Domain:

Logon Type: 3

Logon Process: Advapi

Authentication Package:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name: myserver
1 answer Last reply
More about event logon type lots them
  1. Archived from groups: microsoft.public.win2000.security (More info?)

    What server applications were running on this server - IIS, Exchange,?? From
    what you describe it probably was from an external source and if your
    firewall logs network traffic you may want to see if you see a lot of
    activity from a particular IP address at the times that these failed logon
    events were recorded. If you have auditing of account logon events enabled
    in Domain Controller Security policy you would want to check the security
    logs of the domain controllers to see if there are any failure for account
    logon events at the same times that may give more information including
    computer name. I have seen other posts with similar behavior and when
    Logon Process: Advapi was show it was often an Exchange server. Be sure
    to check your firewall for proper configuration and you can go to a self
    scan site such as http://scan.sygatetech.com/ to see if your firewall
    security configuration looks to be what is expected.--- Steve


    "Gary Massengale" <garym_jnospam@hotmail.com> wrote in message
    news:%23IZ47XoSFHA.3544@TK2MSFTNGP10.phx.gbl...
    >I saw a ton of these, all early this morning, during a short period of
    >time, before most users are even in the office.
    >
    >
    >
    > is there any way I can find out where this is coming from? what
    > workstation or if it is over the internet?
    >
    >
    >
    >
    >
    >
    >
    >
    >
    > Event Type: Failure Audit
    >
    > Event Source: Security
    >
    > Event Category: Logon/Logoff
    >
    > Event ID: 529
    >
    > Date: 4/26/2005
    >
    > Time: 6:44:06 AM
    >
    > User: NT AUTHORITY\SYSTEM
    >
    > Computer: myserver
    >
    > Description:
    >
    > Logon Failure:
    >
    > Reason: Unknown user name or bad password
    >
    > User Name: connect
    >
    > Domain:
    >
    > Logon Type: 3
    >
    > Logon Process: Advapi
    >
    > Authentication Package:
    > MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    >
    > Workstation Name: myserver
    >
    >
Ask a new question

Read More

Event Id Windows