Security log in Event Viewer shows Failure Audits from other pcs????

  • Thread starter Thread starter Saucer Man
  • Start date Start date
S

Saucer Man

I noticed on one of my Windows 2000 workstations that the Security log in
Event Viewer is showing Failure Audits from another PC. The other PC is a
Windows XP workstation. The failure audits are ID 681 and 529. These are
logon type errors. Why is it logging on someone elses PC?
 
Saucer Man said:
I noticed on one of my Windows 2000 workstations that the Security log in
Event Viewer is showing Failure Audits from another PC. The other PC is a
Windows XP workstation. The failure audits are ID 681 and 529. These are
logon type errors. Why is it logging on someone elses PC?
Click to expand...

Are you sure you are not misreading the event message?
Is it not telling you the workstation from which a network login
was originated, but the failed login was recorded on the machine
where the failed login was attempted ?
If not, then please post and example of these so that we can
see what you are seeing instead of just hearing how you are
understanding it.

Roger
 
OK. Here is what is happening. These events ...

1) The logon to account: john
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: HP-DV9608
failed. The error code was: 3221225572

2) Logon Failure:
Reason: Unknown user name or bad password
User Name: john
Domain: HP-DV9608
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HP-DV9608

....were logged in another computers Event Viewer.

Thanks.
 
So, those messages are common, and are saying that
someone/something attempted to do a network login
(lgon type 3) as an account named john onto the machine
where this was recorded from a machine that was named
HP-DV9608 that was not in a domain (domain same as
workstation name)
 
The problem is John on machine HP-DV9608 did not try to logon to the PC
where this was logged. John only logged onto machine HP-DV9608 which is
only part of a workgroup. When he does this, these events get logged into
this OTHER machine in the domain.
 
Saucer Man said:
The problem is John on machine HP-DV9608 did not try to logon to the PC
where this was logged. John only logged onto machine HP-DV9608 which is
only part of a workgroup. When he does this, these events get logged into
this OTHER machine in the domain.
Click to expand...

Something John is doing, or that starts when he logs in,
is attempting an authenticated network access to the box
where this gets logged. Check the processes running or
what use they are making of the network (consider tools
like TcpView from Sysinternals at the MS website)
 
Back
Top