Audit Failures

Guest · Mar 28, 2005

Can anyone tell me if they have seen this type of audit and what does it
mean? We just started auditing, but I am not sure what this is telling me.
This case seems very ambiguious. The other day there were the same entries
but they had user accounts that I know are fine. One of the accounts is mine
and two others that access our server via a VPN connection.

Thanks,

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/27/2005
Time: 9:09:35 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVER_X]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [SERVER_X]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: [SERVER_X]

Michiko Short [MSFT] · Mar 29, 2005

This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.

Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.

Windows Server 2003 Events and Errors is our web site for more information.
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.2&LCID=1033

For more information about that event see:
http://www.microsoft.com/technet/su...indows+Operating+System&LCID=1033&ProdVer=5.0

Michiko Short [MSFT}
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

"EMcGrath@HCA_NOSPAM_Vendor.com"

Guest · Mar 29, 2005

There are many attempts, even from my account. I think is may have something
to do with our VPN. This is happening with users who are working in
workgroups in a remote office and who are tunneling into my network via a VPN
connection.

Does this spark any ideas?

Thanks,
Erin

Michiko Short said:
This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.

Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.

Windows Server 2003 Events and Errors is our web site for more information.
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.2&LCID=1033

For more information about that event see:
http://www.microsoft.com/technet/su...indows+Operating+System&LCID=1033&ProdVer=5.0

Michiko Short [MSFT}
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

"EMcGrath@HCA_NOSPAM_Vendor.com"

Can anyone tell me if they have seen this type of audit and what does it
mean? We just started auditing, but I am not sure what this is telling
me.
This case seems very ambiguious. The other day there were the same
entries
but they had user accounts that I know are fine. One of the accounts is
mine
and two others that access our server via a VPN connection.

Thanks,

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/27/2005
Time: 9:09:35 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVER_X]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [SERVER_X]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: [SERVER_X]

Click to expand...

Michiko Short [MSFT] · Mar 31, 2005

Sorry, not really a VPN expert.

However, a couple of questions. You do recognize the Workstation Names
correct? They should be systems on your remote office. So each of these
events should have a valid combination of Username, Workstation Name, and
Domain. It sounds like even though you have several logon failure events,
you do have successful logons as well.

Your VPN server and DCs are current on patches and service packs?

As far as VPN goes, I would try to repost with a new subject asking for
assistance with VPN configuration. That should attract the attention of the
VPN experts. Good luck.

--
Michiko Short [MSFT]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

"EMcGrath@HCA_NOSPAM_Vendor.com"

Michiko Short said:
There are many attempts, even from my account. I think is may have
something
to do with our VPN. This is happening with users who are working in
workgroups in a remote office and who are tunneling into my network via a
VPN
connection.

Does this spark any ideas?

Thanks,
Erin

Michiko Short said:

This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.

Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.

Windows Server 2003 Events and Errors is our web site for more
information.
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.2&LCID=1033

For more information about that event see:
http://www.microsoft.com/technet/su...indows+Operating+System&LCID=1033&ProdVer=5.0

Michiko Short [MSFT}
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

"EMcGrath@HCA_NOSPAM_Vendor.com"

Can anyone tell me if they have seen this type of audit and what does
it
mean? We just started auditing, but I am not sure what this is telling
me.
This case seems very ambiguious. The other day there were the same
entries
but they had user accounts that I know are fine. One of the accounts
is
mine
and two others that access our server via a VPN connection.

Thanks,

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/27/2005
Time: 9:09:35 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVER_X]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [SERVER_X]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: [SERVER_X]

Click to expand...

Click to expand...

Steven L Umbach · Apr 1, 2005

Are any users reporting being unable to access the network from the VPN??
You may also find logon events for remote access users in the system log in
the remote access server. --- Steve

"EMcGrath@HCA_NOSPAM_Vendor.com"

Michiko Short said:
There are many attempts, even from my account. I think is may have
something
to do with our VPN. This is happening with users who are working in
workgroups in a remote office and who are tunneling into my network via a
VPN
connection.

Does this spark any ideas?

Thanks,
Erin

Michiko Short said:

This event occurs whenever the username & password combination fails.
Generally, you will see these in an organization when someone makes a
mistake typing their password. (though occasionally people misspell their
account). Excessive numbers should be investigated.

Since I don't know the details of your environment, it may be caused by
other events. Logon type 3 is accessed system via network. There are also
several KBs that may apply to your situation.

Windows Server 2003 Events and Errors is our web site for more
information.
http://www.microsoft.com/technet/su...ows Operating System&MajorMinor=5.2&LCID=1033

For more information about that event see:
http://www.microsoft.com/technet/su...indows+Operating+System&LCID=1033&ProdVer=5.0

Michiko Short [MSFT}
--
This posting is provided "AS IS" with no warranties, and confers no
rights.
Please do not send e-mail directly to this alias. This alias is for
newsgroup purposes only.

"EMcGrath@HCA_NOSPAM_Vendor.com"

Can anyone tell me if they have seen this type of audit and what does
it
mean? We just started auditing, but I am not sure what this is telling
me.
This case seems very ambiguious. The other day there were the same
entries
but they had user accounts that I know are fine. One of the accounts
is
mine
and two others that access our server via a VPN connection.

Thanks,

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 3/27/2005
Time: 9:09:35 PM
User: NT AUTHORITY\SYSTEM
Computer: [SERVER_X]
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: [SERVER_X]
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: [SERVER_X]

Click to expand...

Click to expand...

Password checking is running-please help	3	Apr 14, 2006
Unexplained 540 Events in Security log on W2K workstation in a dom	0	Oct 13, 2009
event id 675, 681, 529 every 2, 2.5 minutes	2	Dec 2, 2003
680 & 529 Failure Audits	1	Sep 10, 2004
Logon Process contains garbled characters	6	May 3, 2006
537 errors due to manual services being started	0	Jun 11, 2009
Event Viewer - Security - Reports "Failure Audit"	2	Jul 2, 2008
event id 529 logon type 3 - lots of them	1	Apr 26, 2005

Audit Failures

Guest

Michiko Short [MSFT]

Guest

Michiko Short [MSFT]

Steven L Umbach

Ask a Question

Similar Threads