Re: Failure Audit on Terminal Server

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

The User Name in the error log indicates Administrator, but the domain is the network domain. Usually, local admin accounts operate under the "domain" of the machine name, not the domain name.

--
Josh Rosenberg [MSFT]
SDE - Terminal Services


"SJMP" <sjmp@xxxxxxxxxxxxxxxx> wrote in message news:%23uJ7yhHfHHA.3960@xxxxxxxxxxxxxxxxxxxxxxx
How do you come to that conclusion. I am concerned that someone tried to log in to the TS server with the admin account. Why would you think they were trying to log in with a local account.


"Josh Rosenberg [MSFT]" <joshrose@xxxxxxxxxxxxxxxxxxxx> wrote in message news:8F4F66E1-4480-49BD-BA1C-492E07D942F5@xxxxxxxxxxxxxxxx
Correct me if I'm wrong, but it looks like someone tried to logon as the local administrator, but provided the network domain as the domain, not the local machine name.

Local administrator accounts are not part of the domain (usually), and as such you need to change the domain to the local machine "Terminal Server", rather than "MY DOMAIN"

--
Josh Rosenberg [MSFT]
SDE - Terminal Services


"SJMP" <sjmp@xxxxxxxxxxxxxxxx> wrote in message news:%23umDH2GfHHA.1960@xxxxxxxxxxxxxxxxxxxxxxx
windows 2003 standard sp1 running Terminal Server. I have changed the computer name "Terminal Server" and domain "MY DOMAIN"

Is this something I need to be concerned with? Can you provide me with some docs on Caller Logon ID and Caller Process ID?

Thanks,

Event ID 529
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 4/10/2007
Time: 3:04:36 PM
User: NT AUTHORITY\SYSTEM
Computer: terminal serverr"
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Administrator
Domain: MY DOMAIN
Logon Type: 10
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: Terminal Server
Caller User Name: Terminal Server$
Caller Domain: MY DOMAIN
Caller Logon ID: (0x0,0x3E7)
Caller Process ID: 16696
Transited Services: -
Source Network Address: verizon ip add
Source Port: 16244


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.






.

Relevant Pages

  • Re: Adding Terminal Server
    ... as an administrator logging on as a user doing the testing this does not ... and a few other applications. ... >> How do I grant users access to the terminal server using the list of users ... >> Do I install apps the way I would as if I was installing to a desktop ...
    (microsoft.public.windows.terminal_services)
  • Re: Admin Priveleges Not Working
    ... the "administrator group" but that didn't work. ... >you must be signed onto the workstation under an account ... >> the wizard and I enter the server administrator name, ... >> workstation admin accounts to join a domain. ...
    (microsoft.public.backoffice.smallbiz2000)
  • RE: Terminal services + user desktop
    ... "Patrick Rouse" wrote: ... Microsoft MVP - Terminal Server ... via VNC as a domain administrator. ... desktop with selected shortcuts. ...
    (microsoft.public.windows.terminal_services)
  • RE: Default Gateway changes at admin logon
    ... Microsoft MVP - Terminal Server ... "Patrick Rouse" wrote: ... Can you run regmin & filemon on the server then logon as an administrator to ... users connected to the TS using and ADSL modem (the default gateway). ...
    (microsoft.public.windows.terminal_services)
  • RE: Default Gateway changes at admin logon
    ... Can you run regmin & filemon on the server then logon as an administrator to ... Microsoft MVP - Terminal Server ... Yes it affects sessions, ... users connected to the TS using and ADSL modem (the default gateway). ...
    (microsoft.public.windows.terminal_services)