one of the local account (printeraccount) from print server is trying to authenticate with the servers in the same domain. I'm getting Event ID 529 from couple of machine.. I can find few more same logs related to other workstation.. but i dont have access to check those machines. Any idea why this local account is trying to authenticate with one of the server. Event Id details:- user id: NT AUTHORITY\SYSTEM Logon Failure: Reason: Unknown user name or bad password User Name: printeraccount Domain: server1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: server1 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: X.X.X.X Source Port: 0 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp. Nidhin.CK System Analyst

i got the below article from MS but it says this event id 529 will get generated in DC not. But in my case event id is getting generated in one of the server. http://support.microsoft.com/kb/811082Nidhin.CK System Analyst

Hi, When Event 529 is logged, you should look for patterns in the event. Determine if there are several 529 events logged and determine if they all occur in one second or if they occur at specific time intervals. If so, there is a process or service that is running on the computer that is sending incorrect credentials. Look at the Logon Process and Logon Type entries in the log to determine the type of process that is passing incorrect credentials and to determine how the process is logging on. For more information, please refer to: http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows+Operating+System&ProdVer=5.0&EvtID=529&EvtSrc=Security&LCID=1033 Hope it helps. Regards, Bruce

hi bruce, thanks for your precious time... I will check these settings and let you know the statusNidhin.CK System Analyst