UltimateWindowsSecurity.com Forum / Ultimate Windows Security Forum / Security Log / 529 - Logon Failure - Unknown user name or bad password

Workstation Names in LOG

Darryl — Thu, 18 Mar 2010 12:55:43 GMT

HI Ive been trying to work out what this means for a while now, not found anything online about it at all. All logonTypes i get are logon type3 no idea why i dont see any other type apart from 0. I am all so trying to work out why most the logonfailures are logged when attempting to access \\TMP Workstation. Im guessing TMP stands for Temp possibly network share?

Event ID 529 logged with little detail

richard.hart@barclays.com — Mon, 22 Mar 2010 05:49:50 GMT

I am getting 529 events logged on my Windows 2003 servers, but they only information they have is the reason of "Unknown user name or bad password" , that it is a type 3 (network) logon, Logon process is Kerberos and the authentication package is Kerberos.

Any ideas what could cause this or how I could get more details?

source network address

southside_steve — Tue, 10 Nov 2009 11:26:12 GMT

Is there any way to get XP Pro to log the source network address in event 529 - or in another event? I am logging event 529 but there is no source IP address shown.

Logon types question

jwalzer — Mon, 24 Aug 2009 14:51:19 GMT

Randy,

Currently we are using GFI for event log management and when I run a report on 'Failed Logins' pulling from event ID 529, under 'logon type' 99.9% of them show as 'Network'. If I run a report looking for 'interactive' there are none. Any idea why the majority of failed logins under event ID 529 show up as 'Network' with very little listed as 'interactive'?

Thanks

Event on DCs when unknown password is used

alex.fischer — Wed, 16 Sep 2009 09:47:22 GMT

Randy,

I want to document the use of wrong password during the try-to-logon-process initiated on a Member Server (or Client Computer) when the user uses its domain account. I thought, that 529 will be logged on security event log on DC but it isn't so. Could you please tell me how I will be able to document the occurence of wrong password while a users is trying to log on at a member server or workstation with his domain account?

Thanks in advance.

Alex

not logging 529 errors

cmpyx — Tue, 09 Jun 2009 09:47:35 GMT

Randy,

I have created a GPO in which I am logging both successful and failure for 'Audit account logon events' and 'Audit logon events'. I am distributing this GPO to all DC's and member servers. I deliberately tried to logon to a DC with an incorrect password for the domain Administrator account, but for some reason I am not logging any 529's on the DC or any other DC. What am I doing wrong?