RE: Administrator Event 529 on SBS2003 SP1

---

• From: mickyet <mickyet@xxxxxxxxxxxxxxxxxxxxxxxxx>
• Date: Sun, 16 Sep 2007 21:56:14 -0700

---

I don't think it is something malicious. In iis manager, check application
pools' properties, they should use following identities:



Defaultapppool, exchangemobilebrowseapplication, stsadminapppool: network
service

Exchangeapplicationpool, mssharepointappool: local system.



Also, check following to reset the permissions:

http://support.microsoft.com/kb/812614



moreover, you can check it on following websites:

www.eventid.net

http://www.chicagotech.net/troubleshooting/event529a.htm




"Steve Wofford" wrote:

I am recieving the following on an SBS2003 SP1

Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: HORIZONCV
Logon Type: 8
Logon Process: IIS
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SERVER
Caller User Name: SERVER$
Caller Domain: HORIZONCV
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 1920
Transited Services: -
Source Network Address: -
Source Port: -

I have referenced this article:

http://support.microsoft.com/default.aspx/kb/811082

However, that the user in the log is NT AUTHORITY/SYSTEM, not Administrator
as mentioned above. The Administrator has been renamed since the original
installation over 1 yr. ago. Also, NO services use and Administrative
account, let alone Administrator.

When I check the verions of WinLogon.exe it states that if it is older than
5.2.3790.367 the you have the "fixed" version. My file is at verions
5.2.3790.3959.

I want to ensure nothing malicious is taking place since something is trying
to access the Administrator account, albeit disabled...as I cannot find an
exact problem here.

TIA,

Steve

.

---

• References:
  • Administrator Event 529 on SBS2003 SP1
    • From: Steve Wofford

• Prev by Date: RE: cannot send to sbcglobal.net addresses
• Next by Date: Re: DCOM Error in SBS20032 SP1
• Previous by thread: Administrator Event 529 on SBS2003 SP1
• Next by thread: DCOM Error in SBS20032 SP1
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Event ID 529 ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ... (microsoft.public.windows.server.sbs) Re: Security Event 529...please help.... ... The account that is creating the logon error is the system account, ... I have tried rebooting the server several times. ... the network that is only turned on occasionally. ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Security Event 529...please help.... ... Is you laptop name SBS1? ... This can happen if you have a presistent network connenction or a service ... Logon Failure: ... Caller User Name: - ... (microsoft.public.windows.server.sbs) Re: Event ID 529 Question ... Logon Failure: ... Caller User Name: SERVER01$ ... There is no "Mickey" user on our network, so it worries me that we have a hacker trying to get in using brute force logins as this occurred 45 times. ... Usually when you get this you see a source port and source IP Address, ... (microsoft.public.windows.server.sbs) Re: Help needed with Critical Errors in Security Log ... but you can look for the Caller Process ID. ... Logon Type 5 is Service logon issue- service uses an account. ... How to Setup Windows, Network, VPN & Remote Access on ... (microsoft.public.windows.server.sbs)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2007-09