event id 529 after password change

Hi all,

For security reasons we had to change the admin password on an SBS2003 box.
Since then we are getting thousands of 529 errors from the workstations.
They all look like this:

Source security

Category Logon/logiff

Event ID 529

User NT Authority\System

Logon Failure:

Reason: Unknown user name or bad password

User Name: administrator

Domain: TTOWNSEND01

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name: TTOWNSEND01

Caller User Name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network Address: -

Source Port: -



Any idea what could be the cause? At first we also got a policy execution
error but a reboot of the server fixed that.

Thanks,
--
Claus

Claus:

there is some service in the stations that checks the server at the interval
shown in the event logs. Hard for us to tell from here what it is, but you
should be able to see a similiar event in the logs on the station.

I would try running MSCONFIG on one of the stations, disabling all non MS
services to see if the errors stop. If yes, use the 50 - 50 rule to see
what service/program it is. My first gues would be an AV program that uses
the administrator password to validate itself.

Please note that this venue is due to be closed in a few days/weeks and you
will get much more attention in the new SBS Forum hosted by MS at the following
location.

http://social.technet.microsoft.com/...server/threads

You can either use your web browser, or if you prefer to use your existing
(or different) nntp news reader you can use one of the official MS bridge
applications, or the combined one on codeplex.com

Official MS Bridge - Note two required.
http://connect.microsoft.com/MicrosoftForums/

Codeplex nntp bridge - only one required.
http://communitybridge.codeplex.com/

-Please post the resolution to your issue so others may benefit.

-Get Your SBS Health Check at www.sbsbpa.com


> Hi all,
>
> For security reasons we had to change the admin password on an SBS2003
> box. Since then we are getting thousands of 529 errors from the
> workstations. They all look like this:
>
> Source security
>
> Category Logon/logiff
>
> Event ID 529
>
> User NT Authority\System
>
> Logon Failure:
>
> Reason: Unknown user name or bad password
>
> User Name: administrator
>
> Domain: TTOWNSEND01
>
> Logon Type: 3
>
> Logon Process: NtLmSsp
>
> Authentication Package: NTLM
>
> Workstation Name: TTOWNSEND01
>
> Caller User Name: -
>
> Caller Domain: -
>
> Caller Logon ID: -
>
> Caller Process ID: -
>
> Transited Services: -
>
> Source Network Address: -
>
> Source Port: -
>
> Any idea what could be the cause? At first we also got a policy
> execution error but a reboot of the server fixed that.
>
> Thanks,
>

Thanks Larry,

I thought there might be a known issue with changing the admin password on
an SBS 2003 box.

I checked the stations and there are 1030 userinv event in the stations
event logs that reference policy objects. I will run some tests and report
back.

--
Claus
"Larry Struckmeyer[SBS-MVP]" <> wrote in message
news: om...
> Claus:
>
> there is some service in the stations that checks the server at the
> interval shown in the event logs. Hard for us to tell from here what it
> is, but you should be able to see a similiar event in the logs on the
> station.
>
> I would try running MSCONFIG on one of the stations, disabling all non MS
> services to see if the errors stop. If yes, use the 50 - 50 rule to see
> what service/program it is. My first gues would be an AV program that
> uses the administrator password to validate itself.
>
> Please note that this venue is due to be closed in a few days/weeks and
> you will get much more attention in the new SBS Forum hosted by MS at the
> following location.
>
> http://social.technet.microsoft.com/...server/threads
>
> You can either use your web browser, or if you prefer to use your existing
> (or different) nntp news reader you can use one of the official MS bridge
> applications, or the combined one on codeplex.com
>
> Official MS Bridge - Note two required.
> http://connect.microsoft.com/MicrosoftForums/
>
> Codeplex nntp bridge - only one required.
> http://communitybridge.codeplex.com/
>
> -Please post the resolution to your issue so others may benefit.
>
> -Get Your SBS Health Check at www.sbsbpa.com
>
>
>> Hi all,
>>
>> For security reasons we had to change the admin password on an SBS2003
>> box. Since then we are getting thousands of 529 errors from the
>> workstations. They all look like this:
>>
>> Source security
>>
>> Category Logon/logiff
>>
>> Event ID 529
>>
>> User NT Authority\System
>>
>> Logon Failure:
>>
>> Reason: Unknown user name or bad password
>>
>> User Name: administrator
>>
>> Domain: TTOWNSEND01
>>
>> Logon Type: 3
>>
>> Logon Process: NtLmSsp
>>
>> Authentication Package: NTLM
>>
>> Workstation Name: TTOWNSEND01
>>
>> Caller User Name: -
>>
>> Caller Domain: -
>>
>> Caller Logon ID: -
>>
>> Caller Process ID: -
>>
>> Transited Services: -
>>
>> Source Network Address: -
>>
>> Source Port: -
>>
>> Any idea what could be the cause? At first we also got a policy
>> execution error but a reboot of the server fixed that.
>>
>> Thanks,
>>
>
>