Re: Failure Audit on Terminal Server

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

---

• From: "Josh Rosenberg [MSFT]" <joshrose@xxxxxxxxxxxxxxxxxxxx>
• Date: Wed, 11 Apr 2007 12:52:28 -0700

---

Correct me if I'm wrong, but it looks like someone tried to logon as the local administrator, but provided the network domain as the domain, not the local machine name.

Local administrator accounts are not part of the domain (usually), and as such you need to change the domain to the local machine "Terminal Server", rather than "MY DOMAIN"

--
Josh Rosenberg [MSFT]
SDE - Terminal Services


"SJMP" <sjmp@xxxxxxxxxxxxxxxx> wrote in message news:%23umDH2GfHHA.1960@xxxxxxxxxxxxxxxxxxxxxxx

windows 2003 standard sp1 running Terminal Server. I have changed the computer name "Terminal Server" and domain "MY DOMAIN"

Is this something I need to be concerned with? Can you provide me with some docs on Caller Logon ID and Caller Process ID?

Thanks,

Event ID 529
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 4/10/2007
Time: 3:04:36 PM
User: NT AUTHORITY\SYSTEM
Computer: terminal serverr"
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: MY DOMAIN
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: Terminal Server
Caller User Name: Terminal Server$
Caller Domain: MY DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 16696
Transited Services: -
Source Network Address: verizon ip add
Source Port: 16244


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

.

---

• Follow-Ups:
  • Re: Failure Audit on Terminal Server
    • From: SJMP
  • Re: Failure Audit on Terminal Server
    • From: SJMP

• References:
  • Failure Audit on Terminal Server
    • From: SJMP

• Prev by Date: Re: Windows - Low on Registry Space
• Next by Date: Re: Help with configuration
• Previous by thread: Failure Audit on Terminal Server
• Next by thread: Re: Failure Audit on Terminal Server
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Failure Audit on Terminal Server ... No one would have been trying to log in with the local admin account. ... such you need to change the domain to the local machine "Terminal Server", ... some docs on Caller Logon ID and Caller Process ID? ... (microsoft.public.windows.terminal_services) Failure Audit on Terminal Server ... docs on Caller Logon ID and Caller Process ID? ... Workstation Name: Terminal Server ... (microsoft.public.windows.terminal_services) Re: Failure Audit on Terminal Server ... Someone attempted to logon to your terminal server via a terminal services connection. ... It corresponds to the machine logon which was trying to authenticate on behalf of the user. ... The Caller Process ID is the PID of the winlogon.exe instance for the TS session that provided the logon GUI. ... (microsoft.public.windows.terminal_services) Re: Failure Audit on Terminal Server ... such you need to change the domain to the local machine "Terminal Server", ... some docs on Caller Logon ID and Caller Process ID? ... (microsoft.public.windows.terminal_services) Re: Permission Denied on Application on TS? ... Do you get "access denied" when you try to logon, ... i.e. when the Terminal Server ... But when I log on as the Local Administrator ... I put the Friendship User Account in the ... (microsoft.public.windows.terminal_services)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.terminal_services  > 2007-04