The security log on my customer's SBS 2003 server is getting a 529 error thousands of times per day (some are generated every few seconds). This began when all user passwords were expired in order to force an immediate password change. There are no services starting with this valid user name, in fact the user listed in the top section of the error details screen is NT Authority\System. See falure audit details below. Logon Failure: Reason: Unknown user name or bad password User Name: <valid active user name> Domain: <my domain> Logon Type: 4 Logon Process: DCOMSCM Authentication Package: Negotiate Workstation Name: SBS1 Caller User Name: SBS1$ Caller Domain: FCPC I believe DCOMSCM is a SQL tool, but I'm not sure what application is calling it. Additionally, the System log shows a corresponding error 10004 at the same time. See below for details. DCOM got error "Logon failure: unknown user name or bad password. " and was unable to logon .\<valid user name> in order to run the server: {92CF31D6-E904-4EE8-AAC9-E1A7719056E9} For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. If I click on the futher information link I get this info: Product: Windows Operating System ID: 10004 Source: DCOM Version: 5.0 Component: System Event Log Symbolic Name: EVENT_RPCSS_RUNAS_CANT_LOGIN Message: DCOM got error "%%%1" and was unable to logon %2\\%3 in order to run the server: %4 I've not been able to find the service or application that is using the user name's credentials so that I can change it to the new password. How do I go about finding it?
Hi Jeff, Thank you for posting in SBS newsgroup. Based on my research, I find the {92CF31D6-E904-4EE8-AAC9-E1A7719056E9} is related Red Earth Software's application called Policy Patrol Enterprise 3.0. You can search the registry for the GUID as in the event and found that it is pointing to the PP30_data server software i.e. Policy Patrol Software. You can use DCOMCNFG and open the properties of PP30_data server and went to the Identity tab and reset the password for administrator account. If the problem still persists, please perform a clean boot on the client as following: 1. Click Start, click Run, and then in the Open box, type "MSCONFIG" (without the quotation marks). Click OK. 2. In the System Configuration Utility (MSConfig) window, click to select the Selective Startup button. 3. Click to clear the check mark from the "Load startup items" below Selective Startup. 4. Click the Services tab, click to check the "Hide All Microsoft Services" box, and remove all the check marks from the remained Non-Microsoft Services. Please note that the Exchange services could be marked as non-Microsoft. Please do not disable those services. 5. Click OK to close the MSConfig window. Click Yes when you are asked to restart your computer in order to enable the changes. 6. After restarting, please check whether this issue will reoccur. Hope it helps and I look forward to hearing from you. Best regards, Crina Li (MSFT) Microsoft CSS Online Newsgroup Support Get Secure! - www.microsoft.com/security ===================================================== This newsgroup only focuses on SBS technical issues. If you have issues regarding other Microsoft products, you'd better post in the corresponding newsgroups so that they can be resolved in an efficient and timely manner. You can locate the newsgroup here: http://www.microsoft.com/communities/newsgroups/en-us/default.aspx When opening a new thread via the web interface, we recommend you check the "Notify me of replies" box to receive e-mail notifications when there are any updates in your thread. When responding to posts via your newsreader, please "Reply to Group" so that others may learn and benefit from your issue. Microsoft engineers can only focus on one issue per thread. Although we provide other information for your reference, we recommend you post different incidents in different threads to keep the thread clean. In doing so, it will ensure your issues are resolved in a timely manner. For urgent issues, you may want to contact Microsoft CSS directly. Please check http://support.microsoft.com for regional support phone numbers. Any input or comments in this thread are highly appreciated. ===================================================== This posting is provided "AS IS" with no warranties, and confers no rights. -------------------- | Thread-Topic: Security log event ID 529 & System log event ID 10004 || From: "=?Utf-8?B?SmVmZkQ=?=" <> | Subject: Security log event ID 529 & System log event ID 10004 | Date: Thu, 3 Nov 2005 10:09:01 -0800 | | Newsgroups: microsoft.public.windows.server.sbs | | | The security log on my customer's SBS 2003 server is getting a 529 error | thousands of times per day (some are generated every few seconds). This | began when all user passwords were expired in order to force an immediate | password change. There are no services starting with this valid user name, in | fact the user listed in the top section of the error details screen is NT | Authority\System. See falure audit details below. | | Logon Failure: | Reason: Unknown user name or bad password | User Name: <valid active user name> | Domain: <my domain> | Logon Type: 4 | Logon Process: DCOMSCM | Authentication Package: Negotiate | Workstation Name: SBS1 | Caller User Name: SBS1$ | Caller Domain: FCPC | | I believe DCOMSCM is a SQL tool, but I'm not sure what application is | calling it. Additionally, the System log shows a corresponding error 10004 at | the same time. See below for details. | | DCOM got error "Logon failure: unknown user name or bad password. " and was | unable to logon .\<valid user name> in order to run the server: | {92CF31D6-E904-4EE8-AAC9-E1A7719056E9} | | For more information, see Help and Support Center at | http://go.microsoft.com/fwlink/events.asp. | | If I click on the futher information link I get this info: | Product: Windows Operating System | ID: 10004 | Source: DCOM | Version: 5.0 | Component: System Event Log | Symbolic Name: EVENT_RPCSS_RUNAS_CANT_LOGIN | Message: DCOM got error "%%%1" and was unable to logon %2\\%3 in order to | run the server: | %4 | | I've not been able to find the service or application that is using the user | name's credentials so that I can change it to the new password. | | How do I go about finding it? | | -- | Any help would be greatly appreciated. | Jeff D |
