HI All..

My AD see so many Logon failure Event.... seems every few logon failure attempt within a Sec..

EventID: 529

User : NT Authority \SYSTEM

Computer : AD01

Desciption:

Logon Failure:

Reason: Unknown user name or bad password

User Name : Administrator

Domain: SERVER01

Logon Type : 3

Logn Process: NTLMSSP

Authentication Package: NTLM

WorkStation Name: SERVER01

Caller User name: -

Caller Domain: -

Caller Logon ID: -

Caller Process ID: -

Transited Services: -

Source Network address : 192.168.1.10

Source Port: 59219   ( actually its a random port for every of the failure attemp)

Anyone has idea how to trace down this logon attempt???

and is this trying domain admin password or just local admin password ?

I see some web talking about "logon type " 3 is about using some network resources ?

This could be malware running on 192.168.1.10.  I would look at this box.  Also if you recently changed the admin password a service account, scheduled task, etc... could be running on it.  If it turns out to be something configured I would work to get the removal of the admin acount, this is a bad security practice.

will the

Source Network address : 192.168.1.10 report wrongly ?

Hi,

By the question in your last reply, do you mean that the network address could be wrong?

The answer is unlikely, event messages are always reliable for troubleshooting.

In addition, logon type 3 indicates that a user or computer logged on to this computer from the network.

More information for you to track down the logon attempt below:

Security Event 529 is logged for local user accounts

http://support.microsoft.com/kb/811082

Troubleshooting Account Lockout

http://technet.microsoft.com/en-us/library/cc773155(v=WS.10).aspx

Troubleshooting account lockout the PSS way

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Account lockout is caused by failed logon attempts, so the articles above should be useful for you, too.

Best Regards,

Amy Wang