Re: Event ID 539 & 529 in large numbers - from what?

In the logs you posted, is <username> the name of a user or a machine? And is <workstation> a machine on your network, or does it appear as though it is coming in from an external source?

-Cliff

"Ruth Cheesley suffolkcomputerservices co (dot) uk>" <newsgroup<atdot> wrote in message news:eoKo6fquIHA.2188@xxxxxxxxxxxxxxxxxxxxxxx
Hello all,

Wondered if anyone can point me in the right direction for identifying what may be causing the following, which started appearing in the event logs today (SBS 2003). The only thing unique about this particular workstation is that it's running Sage Payroll with data on the SBS as a share. The company only has two other laptops alongside this workstation and the small business server, and 1 printer. Therefore this large number of failures was somewhat alarming when reading through the reports today! All computers and laptops are running legitimate copies of XP, with AVG Small Business Internet Security edition on server & all computers. All are up to date with windows critical & security updates bar SP3.

Source Event ID Last Occurrence Total Occurrences
Security 539 20/05/2008 14:35 12,232 *
Logon Failure:
Reason: Account locked out
User Name: <username>
Domain: <domain name>
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: <workstation name>
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.0.53
Source Port: 0


Source Event ID Last Occurrence Total Occurrences
Security 529 20/05/2008 14:31 117 *
Logon Failure:
Reason: Unknown user name or bad password
User Name: <username>
Domain: <domain name>
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: <workstation name>
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 10.0.0.53
Source Port: 0

Many thanks,

Ruth







.

Relevant Pages

  • Re: Daily Server Report (Critical Errors, Event ID: 537)
    ... Also, Logon type of 3 is a network logon, this is considered a ... Does this issue happen on client workstation or server? ... Does your server and all clients' workstation work well now? ... issue in your Network? ...
    (microsoft.public.windows.server.sbs)
  • Re: Daily Server Report (Critical Errors, Event ID: 537)
    ... Also, Logon type of 3 is a network logon, this is considered a ... Does this issue happen on client workstation or server? ... Does your server and all clients' workstation work well now? ... issue in your Network? ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 529
    ... First is a hardware firewall that sits on the perimeter of your network and requires that your users give user names and passwords, different from those for the network. ... Sometimes the Logon Type is different, also the User Name can be ... Computer: <SERVER NAME> ... Caller User Name: $ ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 539 & 529 in large numbers - from what?
    ... When I get an account locking out without obvious cause, I just go in and delete all the saved passwords. ... Both the username and the workstation name are legitimate user/workstation on the network. ... Logon Failure: ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)
  • Re: Event ID 539 & 529 in large numbers - from what?
    ... Part of what I meant though, is that <username> could be the name of a user or the name of a machine, when a machine is connecting to the server to get group policies, for example. ... Both the username and the workstation name are legitimate user/workstation on the network. ... Logon Failure: ... Caller User Name: - ...
    (microsoft.public.windows.server.sbs)