J
Jim
I have a question about an event in my security logs. Here is the
situation:
I have 2 machines that are in the same domain. One is running Windows
2000 Server (workstation name = JIMLAB2K) and the other is running
Windows XP Professional (workstation name = JIMLABXP1).
On the Windows 2000 machine I modified the "Access the computer from
the network" right to only include administrators. I then logged into
the Windows XP machine as a test user that is a member of the domain
but is not a member of the administrators group on the Windows 2000
machine. Once logged in, I selected "Start, Run" and typed in
\\JIMLAB2K\c$. As expected I received an error message that said I
have not been granted the requested logon type at this computer.
When I look in the event log, I see 17 Failure Audit events that look
like this:
Date: mm/dd/yyyy
Source: Security
Time: hh/mm
Category: Logon/Logoff
Type: Failure
Event ID: 534
User: NT AUTHORITY\SYSTEM
Computer: JIMLAB2K
Description:
Logon Failure:
Reason: The user has not been granted the requested logon
type at this machine
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
My questions are this:
1. Why are their 17 events captured for one logon attempt?
2. Why doesn't the user name and domain populate with the username
and domain that I attempted to connect with?
3. Why doesn't the workstation name that I attempted to connect from
show up?
4. If this is occuring by design, then how do I know where this event
is coming from so that I can investigate it?
Thanks in advance for any assistance provided.
Jim
situation:
I have 2 machines that are in the same domain. One is running Windows
2000 Server (workstation name = JIMLAB2K) and the other is running
Windows XP Professional (workstation name = JIMLABXP1).
On the Windows 2000 machine I modified the "Access the computer from
the network" right to only include administrators. I then logged into
the Windows XP machine as a test user that is a member of the domain
but is not a member of the administrators group on the Windows 2000
machine. Once logged in, I selected "Start, Run" and typed in
\\JIMLAB2K\c$. As expected I received an error message that said I
have not been granted the requested logon type at this computer.
When I look in the event log, I see 17 Failure Audit events that look
like this:
Date: mm/dd/yyyy
Source: Security
Time: hh/mm
Category: Logon/Logoff
Type: Failure
Event ID: 534
User: NT AUTHORITY\SYSTEM
Computer: JIMLAB2K
Description:
Logon Failure:
Reason: The user has not been granted the requested logon
type at this machine
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
My questions are this:
1. Why are their 17 events captured for one logon attempt?
2. Why doesn't the user name and domain populate with the username
and domain that I attempted to connect with?
3. Why doesn't the workstation name that I attempted to connect from
show up?
4. If this is occuring by design, then how do I know where this event
is coming from so that I can investigate it?
Thanks in advance for any assistance provided.
Jim