Re: Weird 529 Errors in Security Log

Hello Bill,

Thank you for your kind update.

I was just writing to say that I hope everything is going well.

Please do not hesitate to let me know if this problem reoccurs or if
there's anything else I can do for you.

Thank you and have a nice day,

Best regards,

Terence Liu(MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.
=====================================================

This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------
| From: "Bill Glidden" <billyg1943@xxxxxxxxxxx>
| References: <#fZ4OambHHA.1240@xxxxxxxxxxxxxxxxxxxx>
<Nte6Jt2bHHA.928@xxxxxxxxxxxxxxxxxxxxxx>
| Subject: Re: Weird 529 Errors in Security Log
| Date: Thu, 29 Mar 2007 09:19:14 +1000
| Lines: 199
| X-Priority: 3
| X-MSMail-Priority: Normal
| X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
| X-RFC2646: Format=Flowed; Original
| Message-ID: <ejBxD#YcHHA.3632@xxxxxxxxxxxxxxxxxxxx>
| Newsgroups: microsoft.public.windows.server.sbs
| NNTP-Posting-Host: 203-206-187-213.perm.iinet.net.au 203.206.187.213
| Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP02.phx.gbl
| Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:26228
| X-Tomcat-NG: microsoft.public.windows.server.sbs
|
| Hi Terence,
|
| Thank you for responding.
|
| All my XP Pro PCs are already at SP2. My SBS 2003 server is at SP1 and I
am
| not going to go to SP2 until well known issues are resolved!
|
| I have just applied NETDOM RESETPWD and will reboot soon. I will check
the
| event log tomorrow and see whether this was the issue. If not, I will
press
| on with your other suggestions.
|
| Cheers,
| Bill Glidden
|
| "Terence Liu [MSFT]" <v-terliu@xxxxxxxxxxxxxxxxxxxx> wrote in message
| news:Nte6Jt2bHHA.928@xxxxxxxxxxxxxxxxxxxxxxxxx
| > Hello Bill,
| >
| > Thank you for posting here.
| >
| > According to your description, I understand that you get many event logs
| > 529 from one workstation. If I have misunderstood the problem, please
| > don't
| > hesitate to let me know.
| >
| > Based on my research, I suggest we try the following steps to see if we
| > can
| > resolve this issue:
| >
| > 1: Install latest service pack for workstation and SBS server:
| >
| > How to obtain the latest Windows XP service pack
| > http://support.microsoft.com/?id=322389
| >
| > How to obtain the latest service pack for Windows Server 2003
| > http://support.microsoft.com/?id=889100
| >
| > 2. There are several running processes on the SBS server that will
attempt
| > to connect using the machine account.
| > One of the most active is the Microsoft Exchange Routing Engine.
| >
| > This behavior can happen when the machine password is not properly sync.
| >
| > In order to reset the machine account password of a domain controller
use:
| >
| > NETDOM RESETPWD /Server:ServerName /UsedD:Administrator /PasswordD:*
| >
| > The syntax of this command is:
| > NETDOM RESETPWD /Server:domain-controller /UserD:user
/PasswordD:[password
| > | *]
| >
| > NETDOM RESETPWD Resets the machine account password for the domain
| > controller
| > on which this command is run. Currently there is no support for
resetting
| > the machine password of a remote machine or a member server. All
| > parameters
| > must be specified.
| >
| > /Server Name of a specific domain controller that should have
its
| > machine account password reset.
| >
| > /UserD User account used to make the connection with the domain
| > controller specified by the /Server argument.
| >
| > /PasswordD Password of the user account specified with /UserD. A *
| > means
| > to prompt for the password
| >
| > After completing the command, reboot the server.
| >
| > 3. As I know, some 3rd-party software will refer to this issue if they
| > trying to use invalid credentials to log on to IIS. I suggest we try to
do
| > clean boot to narrow down it:
| >
| > To clean boot the server, please use the steps below:
| > a. Click Start, click Run, and then in the Open box, type "MSCONFIG"
| > (without the quotation marks). Click OK.
| >
| > b. In the System Configuration Utility (MSConfig) window, click to
select
| > the Selective Startup button.
| >
| > c. Click to clear the check mark from the "Load startup items" below
| > Selective Startup.
| >
| > d. Click the Services tab, click to check the "Hide All Microsoft
| > Services"
| > box, and remove all the check marks from the remained Non-Microsoft
| > Services. Please note that the Exchange services could be marked as
| > non-Microsoft. Please do not disable those services.
| >
| > e. Click OK to close the MSConfig window. Click Yes when you are asked
to
| > restart your computer in order to enable the changes.
| >
| > f. After restarting, please check whether this issue will reoccur.
| >
| > 4. Scan virus on the SBS and all workstations. Please use the anti-virus
| > software to perform full scan on the internal network. There is an
online
| > virus scan link below:
| >
| > <http://housecall.trendmicro.com/>
| >
| > 5. Implement Strong password policies. Open ''Server Management
console'',
| > navigate to Users snap-in. In the right panel, click ''Configure
Password
| > Policies''. Enable the password policies.
| >
| > For more information:
| >
<http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies
| > /security/bpactlck.mspx>
| >
| > 6. Monitor the internal users to see if anyone is testing the admin
| > accounts.
| >
| > 7. Check in Scheduled Tasks and see if there are any tasks running as
the
| > administrator account, if there are, make sure the password is
configured
| > properly.
| >
| > If the issue persists, please kindly help me collect some information
for
| > further investigation:
| >
| > Save the application event log and system event log as evt files on the
| > problematic machines and send to my mailbox: v-terliu@xxxxxxxxxxxxx
| >
| > Hope these steps will give you some help.
| >
| > Thanks and have a nice day!
| >
| > Best regards,
| >
| > Terence Liu(MSFT)
| >
| > Microsoft CSS Online Newsgroup Support
| >
| > Get Secure! - www.microsoft.com/security
| >
| > =====================================================
| > This newsgroup only focuses on SBS technical issues. If you have issues
| > regarding other Microsoft products, you'd better post in the
corresponding
| > newsgroups so that they can be resolved in an efficient and timely
manner.
| > You can locate the newsgroup here:
| > http://www.microsoft.com/communities/newsgroups/en-us/default.aspx
| >
| > When opening a new thread via the web interface, we recommend you check
| > the
| > "Notify me of replies" box to receive e-mail notifications when there
are
| > any updates in your thread. When responding to posts via your
newsreader,
| > please "Reply to Group" so that others may learn and benefit from your
| > issue.
| >
| > Microsoft engineers can only focus on one issue per thread. Although we
| > provide other information for your reference, we recommend you post
| > different incidents in different threads to keep the thread clean. In
| > doing
| > so, it will ensure your issues are resolved in a timely manner.
| >
| > For urgent issues, you may want to contact Microsoft CSS directly.
Please
| > check http://support.microsoft.com for regional support phone numbers.
| >
| > Any input or comments in this thread are highly appreciated.
| > =====================================================
| >
| > This posting is provided "AS IS" with no warranties, and confers no
| > rights.
| >
| > --------------------
| > | From: "Bill Glidden" <billyg1943@xxxxxxxxxxx>
| > | Subject: Weird 529 Errors in Security Log
| > | Date: Sun, 25 Mar 2007 08:48:33 +1000
| > | Lines: 15
| > | X-Priority: 3
| > | X-MSMail-Priority: Normal
| > | X-Newsreader: Microsoft Outlook Express 6.00.2900.3028
| > | X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3028
| > | X-RFC2646: Format=Flowed; Original
| > | Message-ID: <#fZ4OambHHA.1240@xxxxxxxxxxxxxxxxxxxx>
| > | Newsgroups: microsoft.public.windows.server.sbs
| > | NNTP-Posting-Host: 203-206-187-213.perm.iinet.net.au 203.206.187.213
| > | Path: TK2MSFTNGHUB02.phx.gbl!TK2MSFTNGP01.phx.gbl!TK2MSFTNGP04.phx.gbl
| > | Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.windows.server.sbs:25269
| > | X-Tomcat-NG: microsoft.public.windows.server.sbs
| > |
| > | Started getting many of these in event log. All from one workstation,
| > | sometimes over 50 a day. Any ideas, anyone?
| > |
| > | Reason: Unknown user name or bad password
| > | User Name: <name>@hotmail.com
| > | Domain:
| > | Logon Type: 3
| > | Logon Process: NtLmSsp
| > | Authentication Package: NTLM
| > | Workstation Name: <fred>
| > |
| > | TIA,
| > | Bill
| > |
| > |
| > |
| >
|
|
|

.