Logon Error - Event ID 533

  • Thread starter Thread starter MageMaster
  • Start date Start date
M

MageMaster

WinXP SP3, System is standalone, not connected to a network

This is the text of the event:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 533
Date: 6/3/2009
Time: 08:14:05
User: NT AUTHORITY\SYSTEM
Computer: IS00002

Description:
Logon Failure:
Reason: User not allowed to logon at this computer
User Name: dummy
Domain: (deleted)
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: (deleted)

--------------------------------------------------
The "deleted" text is for security purposes.

1) "Dummy" is member of "Users" Group

2) Local Security Settings, Log on locally = Users, Administrators

Note all Security Settings are DoD mandated.

Even if I create a new account like "Dummy" I get this error.

ONLY if I make a user (ANY user) a member of Administrators can they
logon.

I found the MS TeckNet article:
http://www.microsoft.com/technet/su...odVer=5.2&EvtID=533&EvtSrc=Security&LCID=1033

Also found many hits using Google.

Problem, none provided a fix or even a hint that applies in this case
(Users in Log on locally).

So, WHAT is the fix?
 
Gerry, the references do not apply. The fixes are for systems using
Domain Servers, NOT un-networked standalones.
 
MageMaster

What version of Windows XP?

Logon Type 2 - Interactive
This is what occurs to you first when you think of logons, that is, a
logon at the console of a computer. You'll see type 2 logons when a user
attempts to log on at the local keyboard and screen whether with a
domain account or a local account from the computer's local SAM. To tell
the difference between an attempt to logon with a local or domain
account look for the domain or computer name preceding the user name in
the event's description. Don't forget that logon's through an KVM over
IP component or a server's proprietary "lights-out" remote KVM feature
are still interactive logons from the standpoint of Windows and will be
logged as such.
http://www.windowsecurity.com/articles/Logon-Types.html

http://www.microsoft.com/resources/...ndows_security_default_settings.mspx?mfr=true


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
The "Domain: (deleted)" = "Domain: IS00002"

The system is default WORKGROUP

Both keyboard & mouse are connected directly to this standalone PS/2.
This is a local keyboard, mouse, monitor.

I am assuming the error showing "Domain: IS00002" is what you get when
using a local logon. So, SHOULD a logon to a non-networked standalone
in a WORKGROUP, have a "Domain" name listed in this type of Event
Error?

OR, is that the error, something in WinXP thinks "Users" are logging
into an actual Domain? BUT, when ANYONE is a member of Administrators,
they do NOT have a logon problem.
 
Neither. This is a DoD system, used where I work. This is why I
stated in my original post that all Security Settings are DoD
mandated. No network connection allowed. Win Updates via our Slip-
Stream CD use in our OEM product. AntiVirus Updates via CD, Symantec
Intelligent Updater.

As stated on my original post, WinXP SP3 was installed from scratch
(WinXP SP2 CD -> SP3 upgrade via CD). I have done this numerous
times.
 
Your security Audit log may be full, log in as an admin and delete it. If
that is not it then check out this policy
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Security Options
If this policy is enabled, it causes the system to halt if a security audit
cannot be logged for any reason. Typically, an event will fail to be logged
when the security audit log is full and the retention method specified for
the security log is either Do Not Overwrite Events or Overwrite Events by
Days. The DOD configuration may have their own modifications to that policy.





--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.




Neither. This is a DoD system, used where I work. This is why I
stated in my original post that all Security Settings are DoD
mandated. No network connection allowed. Win Updates via our Slip-
Stream CD use in our OEM product. AntiVirus Updates via CD, Symantec
Intelligent Updater.

As stated on my original post, WinXP SP3 was installed from scratch
(WinXP SP2 CD -> SP3 upgrade via CD). I have done this numerous
times.
 
"Come into my parlour said the Spider to the Fly"

The Real Truth imposter tries again!


--


Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
Gerry,

No. Your URL is for Win2003 systems only. Also the article is not
the governing DoD authority for the system we have to use.
 
I'll double check, but I'm sure we overwrite every 30-days. Anyway,
we clear/save all Audit Logs every week, so a full log should not be
the problem.

Also, 2 days ago, I created a dummy account, member Users Group, for
testing. The user cannot logon and no Profile folder is made, as I
would expect.
 
Tecknomage

Do not click on any links this person provider as he is the worst troll
current lurking in this newsgroups.

The suggestion regarding security logs should not apply if the overwrite
option has been selected and you have the default maximum of 512 kb. You
have received the failure report and no doubt later events are recorded
in the Security log. The comments by the Real Truth Imposter are
contradicted by the continuing recording of events.

How to Set Log Size and Overwrite Options
To specify log size and overwrite options, follow these steps:
Click Start, and then click Control Panel. Click Performance and
Maintenance, then click Administrative Tools, and then double-click
Computer Management. Or, open the MMC containing the Event Viewer
snap-in.
In the console tree, expand Event Viewer, and then right-click the log
in which you want to set size and overwrite options.
Under Log size, type the size that you want in the Maximum log size box.
Under When maximum log size is reached, click the overwrite option that
you want.
If you want to clear the log contents, click Clear Log.
Click OK.
Source: http://support.microsoft.com/kb/308427/en-us

Take care Real Truth is plausible and many get taken in by him. Normally
he posts simple comments but on this occasion his remarks are more
complex.


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
Tecknomage

OK so can you post me a link for the governing DoD authority for the
system you have to use?

You probably by now appreciate that this may not be the most appropriate
newsgroup for you problem. If I knew the software you are using I may be
able to suggest a better place to ask.


--


Hope this helps.

Gerry
~~~~
FCA
Stourport, England
Enquire, plan and execute
~~~~~~~~~~~~~~~~~~~
 
This classified PDF document is not for general release. Sorry.

As for Event Viewer, your method is the long way around. I have a
link to it in the Quick Launch Bar (from Admin Tools in Control
Panel). The filesize is more than enough, overwrite 30-days, but we
clear/save once a week, so that's not the issue.

The bottom line is, if [Local Security Settings, Log on locally =
Users, Administrators], what is preventing a user-name that is a
"Member of Users" from logging on?

They get the "your account is configured to prevent you from using
this computer. Please try another computer."
 
Ensure that the user account has permissions to connect to the servers.
Go to Active Directory users and Computers > user account properties >
Account tab and click Log on to.
Select All Computers
I posted a screenshot here http://pcbutts1.com/downloads/ad.jpg



--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
 
Scratch that you said it is a standalone system.

--
The Real Truth http://pcbutts1-therealtruth.blogspot.com/
*WARNING* Do NOT follow any advice given by the people listed below.
They do NOT have the expertise or knowledge to fix your issue. Do not waste
your time.
David H Lipman, Malke, PA Bear, Beauregard T. Shagnasty, Leythos.
 
The problem system has never been renamed since built 2mths ago.


I'm having a similar issue in a very similar environment.

Standalone PL-1 system WinXP SP3 and getting the same error for non
administrative local users.

Its not a problem with the event log and the Users group is included in
the local logon policy.

I was thinking it might have been related to rename in the computer
name recently, but I don't see why that would matter.

MageMaster;4447345 said:
This classified PDF document is not for general release. Sorry.

As for Event Viewer, your method is the long way around. I have a
link to it in the Quick Launch Bar (from Admin Tools in Control
Panel). The filesize is more than enough, overwrite 30-days, but we
clear/save once a week, so that's not the issue.

The bottom line is, if [Local Security Settings, Log on locally =
Users, Administrators], what is preventing a user-name that is a
"Member of Users" from logging on?

They get the "your account is configured to prevent you from using
this computer. Please try another computer."
Click to expand...
Click to expand...
 
The first link (KB823659) is for systems on domains, does not apply in
my case.

The second (KB160783) is for Workstations, again does not apply in my
case.

Both KB are for networked systems, the problem system is standalone
non-networked.
 
Back
Top