Event ID 529 every morning at 6:00 AM
Every morning at 6:00 AM the following event id is logged in the server:Event Type: Failure AuditEvent Source: SecurityEvent Category: Logon/Logoff Event ID: 529Date: 4/5/2010Time: 6:00:00 AMUser: NT AUTHORITY\SYSTEMComputer: MYSERVERNAMEDescription:Logon Failure:Reason: Unknown user name or bad passwordUser Name: administratorDomain: CGALogon Type: 4Logon Process: Advapi Authentication Package: NegotiateWorkstation Name: ([MYSERVERNAME]Caller User Name: MYSERVERNAME$Caller Domain: MYDOMAINNAMECaller Logon ID: (0x0,0x3E7)Caller Process ID: 1800Transited Services: -Source Network Address: -Source Port: -This started to occur after I changed the administrator's password.I know that Logon type 4 is a scheduled task and that caller process id 1800 is svchost.exe, but I do not know what task that is.I have changed all of the services in administrative tools that used the administrator account to another account and they have all been working fine.Any help would be much appreciated.Susie
April 8th, 2010 12:35am

HI Please read this blog http://blogs.msdn.com/puneetgupta/archive/2007/08/20/unknown-username-or-bad-password-inetinfo-exe-advapi.aspx I think that the Advapi process considered is virus ,please scan your system by an update AV
Free Windows Admin Tool Kit Click here and download it now
April 8th, 2010 9:37am

Thank you for your response, however, this is not inetinfo.exe it is svchost.exe
April 13th, 2010 10:27pm

Hi,Some of the services are trying to still authenticate to the old administrative account,Have you logged off and logged back in after changing the password ?, the reason because , when you login LSASS would contact the SAM and the request would proceed to the object manager to generate an access token and this access token would be attached to the every thread your OS uses.So when you change the password of the administrator , the existing threads still try authenticate to older access token , unless the administrator again logs back in .
Free Windows Admin Tool Kit Click here and download it now
April 15th, 2010 6:46am

I have restarted the server maybe three times since I changed the administrator's password. I still get this message at 6:00 AM every morning. Thank you. Susie
April 27th, 2010 11:02pm

Yes I have logged off and then back on as the administrator. This event still occurs every morning at 6AM. In fact, it now logs itself twice. Each time says 6 AM
Free Windows Admin Tool Kit Click here and download it now
July 1st, 2010 9:28pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics