logon/logoff event 529 every 5 minutes

Discussion in 'Windows Small Business Server' started by mp3nomad, Apr 11, 2006.

  1. mp3nomad

    mp3nomad Guest

    I reset the domain administrator password a few days ago and now I see the
    following event occurring every 5 minutes in the security event list.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 4/11/2006
    Time: 4:20:00 PM
    User: NT AUTHORITY\SYSTEM
    Computer: SBS
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Administrator
    Domain: BIGAGIS
    Logon Type: 4
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: SBS
    Caller User Name: SBS$
    Caller Domain: BIGAGIS
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 1700
    Transited Services: -
    Source Network Address: -
    Source Port: -

    The process id 1700 is svchost.exe. I can't tell exactly where to make an
    update to keep this event from happening.

    Please advise if there is anything I can do to stop this. We are using SBS
    2003 Premium.

    Thanks!
     
    mp3nomad, Apr 11, 2006
    #1
    1. Advertisements

  2. Open a command prompt on the SBS and type "tasklist /svc" without the
    quotes. Scroll the list until you find the instance of svchost that's
    associated with PID 1700, and it'll tell you what application it is.

    When you change the password, you usually have to scroll the list in
    Services to see what's logging on as Administrator and change it there as
    well. Also the Scheduled Tasks.
     
    Dave Nickason [SBS MVP], Apr 11, 2006
    #2
    1. Advertisements

  3. mp3nomad

    mp3nomad Guest

    Thank you Dave! I found it. It was a scheduled task.

    Shelly Campbell
     
    mp3nomad, Apr 11, 2006
    #3
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.