Security Event ID 534

[Guest]

Hello,

I am seeing alot of these Security Event Log errors on my Windows 2000
Server.

Type: Audit Failure
Source: Security
Event ID: 534
Event Time: <Date and Time>
User: NT AUTHORITY\SYSTEM
Computer: <computername>
Description:
Logon Failure:
Reason: The user has not been granted the requested
logon type at this machine
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -

The error seem to be saying that the SYSTEM account is trying to logon from
the Network (logon type 3) and is failing. However I dont understand why the
local System account would be accessing the server from the network! Doesnt
make sense to me.

Any light that could be shed on why Im getting these errors, would be a huge
help.

Many Thanks

Richard

 

[Steven Umbach]

I am not sure exactly what is going on but the reason would be a lack of
privilege for the user right for access this computer from the network. You can
open Local Security Policy and go to security settings/local policies/user
rights and check for that user right and for deny access to this computer from
the network that will override any allow settings to make sure it is correct.
Normally at least users and administrators have the user right to access this
computer from the network. Check the application and system logs to see if there
any other possible events correlating to these errors by time. ---- Steve

 

[Guest]

Steven, thanks for the reply...

I have checked the "deny access from the network" local policy and there are
nothing specified. Also there are no corrosponding events in the app and
system logs.

Im still stumped...

 

[Steven Umbach]

Hmm. Is anybody being denied access to the computer or is anything else failing
or not working right?? How often are these events showing up?? Is this a domain
controller? Try enabling auditing of privilege use and object access for failure
only to see if anything else is being recorded for those audit categories at the
same time that may provide a clue. There was a problem with Event 534 on XP Pro
computers, but have not heard about the same problem for Windows 2000. --- Steve

http://support.microsoft.com/?kbid=841399

 

[zmurof]

Hmm. Is anybody being denied access to the computer or is
anything else failing
or not working right?? How often are these events showing up??
Is this a domain
controller? Try enabling auditing of privilege use and object
access for failure
only to see if anything else is being recorded for those audit
categories at the
same time that may provide a clue. There was a problem with
Event 534 on XP Pro
computers, but have not heard about the same problem for
Windows 2000. --- Steve

http://support.microsoft.com/?kbid=841399

in message

&nbsp;> > I am not sure exactly what is going on but the
reason would be a lack of
&nbsp;> > privilege for the user right for access this
computer from the network. You
can
&nbsp;> > open Local Security Policy and go to security
settings/local policies/user
&nbsp;> > rights and check for that user right and for deny
access to this computer
from
&nbsp;> > the network that will override any allow settings to
make sure it is
correct.
&nbsp;> > Normally at least users and administrators have the
user right to access
this
&nbsp;> > computer from the network. Check the application and
system logs to see if
there
&nbsp;> > any other possible events correlating to these
errors by time. ---- Steve
&nbsp;> >
&nbsp;> >
&nbsp;> > "Richard Smith"
&lt;[email protected]&gt; wrote in
message
&nbsp;> >
&nbsp;&nbsp;> > > Hello,
&nbsp;&nbsp;> > >
&nbsp;&nbsp;> > > I am seeing alot of these Security Event Log
errors on my Windows 2000
&nbsp;&nbsp;> > > Server.
&nbsp;&nbsp;> > >
&nbsp;&nbsp;> > > Type: Audit Failure
&nbsp;&nbsp;> > > Source: Security
&nbsp;&nbsp;> > > Event ID: 534
&nbsp;&nbsp;> > > Event Time: &lt;Date and Time&gt;
&nbsp;&nbsp;> > > User: NT AUTHORITYSYSTEM
&nbsp;&nbsp;> > > Computer: &lt;computername&gt;
&nbsp;&nbsp;> > > Description:
&nbsp;&nbsp;> > > Logon Failure:
&nbsp;&nbsp;> > > Reason: The user has not been granted the
requested
&nbsp;&nbsp;> > > logon type at this machine
&nbsp;&nbsp;> > > User Name:
&nbsp;&nbsp;> > > Domain:
&nbsp;&nbsp;> > > Logon Type: 3
&nbsp;&nbsp;> > > Logon Process: Kerberos
&nbsp;&nbsp;> > > Authentication Package: Kerberos
&nbsp;&nbsp;> > > Workstation Name: -
&nbsp;&nbsp;> > >
&nbsp;&nbsp;> > > The error seem to be saying that the SYSTEM
account is trying to logon
from
&nbsp;&nbsp;> > > the Network (logon type 3) and is failing.
However I dont understand why
the
&nbsp;&nbsp;> > > local System account would be accessing the
server from the network!
Doesnt
&nbsp;&nbsp;> > > make sense to me.
&nbsp;&nbsp;> > >
&nbsp;&nbsp;> > > Any light that could be shed on why Im
getting these errors, would be a
huge
&nbsp;&nbsp;> > > help.
&nbsp;&nbsp;> > >
&nbsp;&nbsp;> > > Many Thanks
&nbsp;&nbsp;> > >
&nbsp;&nbsp;> > > Richard
&nbsp;> >
&nbsp;> >
&nbsp;> >

Thought I’d jump in here as I’m having the exact same problem Richard.
I know you would rather have someone with answers but perhaps I can
offer some insight.

This error started occuring after we defined a domain security policy,
’access this computer from the network’. This however broke access to
our web server. The domain policy is not addative I believe and it
took away the local member(web server), IUSR account access.
Apparently when you define a domain policy and there is no local
security policy, then you undefine the domain policy, it may still be
enforced.

When you look at the local security policy the edit buttons are greyed
out so there is no way to specify these accounts or groups with the
local policy. I don’t know how to get around this one. I was
thinking that rejoining the domain might work but as this is a web
server/exchange server I have not tried that yet.

If you can find out what account/group to add into your policy for the
krbtgt account it might fix this.

 

[Steven L Umbach]

When you "undefine" security options they often maintain the last defined
setting. Undefined in such case often means "no change". The grayed out
settings means that security settings are being applied at a higher priority
level. Group/security policy is applied in this order where the last applied
setting applies in a normal configuration - local>site>domain>OU>child OU.
What you could do is create an OU for your server with it's own Group
Policy, assign the necessary user rights in that Group Policy and then move
the server account into that OU. The OU could be a child OU to the domain
container or another OU so that you could maintain all current
Group/security policy with the exception of what is defined in the child OU
for your server. Note however if "no override" is configured on the Group
Policy that is applying the user rights to your server a child OU will not
work but that is not a usual configuration. The support tool gpresult can
help in determining what computer configuration policies are being applied
to your server. --- Steve