12»»

Event ID 529 with username : User and SYSTEM Expand / Collapse
Author
Message
Posted 5/10/2011 2:11:46 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 3:03:02 PM
Posts: 5, Visits: 5
Hi,

I am getting many logs (From my 2003 DC) with Event ID 529 that have username : User and Caller username : SYSTEM. Anyone have any idea what generate that?

Thanks.
Post #671
Posted 5/11/2011 8:41:35 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
look for Account Logon failure events occurring at the same time on that domain controller for user name "user".  then look at the client IP address.

Also what is the logon type in the event ID 529

Post #676
Posted 5/12/2011 8:36:25 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 3:03:02 PM
Posts: 5, Visits: 5
Hi,

This is occurring from many workstations. The log are on the Domain controller and its always type 3. I am using ArcSight to collect the logs from the DC and I am flooded with those events and I would like to know what is generating that so I can either fix it or filter out those log. But I need to know exactly what is causing that so I can document it. We are NERC compliant and every exception need to be documented.

Thanks.
Post #682
Posted 5/12/2011 8:45:49 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 3:03:02 PM
Posts: 5, Visits: 5
More info:

If I look at the log, just before the ID529 I get a log with ID 680 with same workstation and account User and error code 0xC000064 (user name does not exist).

Post #683
Posted 5/12/2011 8:59:39 AM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
look at the ip address in 529 and the workstation name 680.  that should help you trace it back to the originating computer
Post #684
Posted 5/12/2011 10:52:42 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 3:03:02 PM
Posts: 5, Visits: 5
Hi,

I know which computer it is, thats not the problem, I just want to know what could cause that log. Any idea what process or program could try using the usename User?

Thanks.
Post #686
Posted 5/12/2011 3:05:58 PM
Expert

ExpertExpertExpertExpertExpertExpertExpertExpert

Group: Administrators
Last Login: 4/20/2009 7:57:33 AM
Posts: 329, Visits: 0
no. but at least you know which computer to look on
Post #687
Posted 5/12/2011 3:09:44 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 5/12/2011 3:03:02 PM
Posts: 5, Visits: 5
Hi,

What would be the best way to find out which process or program try to log with the username User?

Thanks.
Post #689
Posted 6/10/2011 5:31:49 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/10/2011 6:05:35 PM
Posts: 3, Visits: 2
I am experiencing a very similar scenario (events 529 & 640). Did you resolve your issue? Any insights to share? thanks
Post #725
Posted 6/10/2011 5:34:23 PM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: Forum Members
Last Login: 6/10/2011 6:05:35 PM
Posts: 3, Visits: 2
oops, typo: I mean events 529 & 680
Post #726
« Prev Topic | Next Topic »

12»»

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 5:47am