Hi, I have installed a Windows 2008 R2 in my network. The server isn't DC only is a Print Server. I've seen in the Event viewer that there are Id. 4624 event These events occur every 2 minuts. This it the event log: - System - Provider [ Name] Microsoft-Windows-Security-Auditing [ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D} EventID 4625 Version 0 Level 0 Task 12544 Opcode 0 Keywords 0x8010000000000000 - TimeCreated [ SystemTime] 2011-01-24T09:05:38.099625000Z EventRecordID 151033 Correlation - Execution [ ProcessID] 460 [ ThreadID] 1368 Channel Security Computer SPRINTNEW.icmab.es Security - EventData SubjectUserSid S-1-0-0 SubjectUserName - SubjectDomainName - SubjectLogonId 0x0 TargetUserSid S-1-0-0 TargetUserName PCD319F$ TargetDomainName ICMAB-CSIC Status 0xc000006d FailureReason %%2313 SubStatus 0xc0000064 LogonType 3 LogonProcessName NtLmSsp AuthenticationPackageName NTLM WorkstationName PCD319F TransmittedServices - LmPackageName - KeyLength 0 ProcessId 0x0 ProcessName - IpAddress 158.109.19.145 IpPort 50296 I saw that the source port is changing in every event. This Windows 2008 R2 is installed in Vmware ESXi Server. Can you help me, please?

Hi, Event 4625 means "An account failed to logon" From the event, we can know that a computer, called PCD319F and the IP address is 158.109.19.145, attempted to access this computer from network by using its computer account PCD319F$ but failed because of 0xc0000064, "The specified user does not exist". As a result, I suggest that you check why the computer keep trying to access this computer. Hope the information is helpful.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Joson, Thanks for your answer. This event occurs with all the users in my company. This server is the print server of the company. It is possible that the problem is here? What is the rol of NTML package in this situation? Thanks

Hi, According to the computer name, SPRINTNEW.icmab.es, it seems that the computer is not in the same domain as PCD319F. Assume that your company domain is ICMAB-CSIC. The issue may occur if there is no trust between the domains. It could be helpful, if you tell us more information about the environment. This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Joson, I think the problem is this. The domain name is ICMAB-CSIC but all the machines have their DNS suffix like icmab.es (it's an inherit domain). Thanks!

Hi, Do you mean they are two different domains? May I know what you are trying to do? Is it possible to join the printer server to the same domain as other machines? Or could you create a trust between the domains? For single-label domain, please refer to the following KB article: Information about configuring Active Directory domains by using single-label DNS names http://support.microsoft.com/kb/300684This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click Mark as Answer on the post that helps you, and to click Unmark as Answer if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Hi Joson, Thanks for your answer. The PDC is not windows system. Now, in Local Security Policy I have configurated the level of the audit. We only are register the events that are correct. (4624 and 4634) Thanks!

Hi, After a few days, I have discovered that its an account rights problem. In the shared printer, there are rigths for the EVERYONE group, and not for Domain Users. Then, the users can be print but every user that are connected to the share printer register an event of audit system NTLM. I have changed the Security Settings -> Audit Policy -> Audit account logon events and Audit logon events Thanks!