Hi, Could someone help with the following Event ID (529) that is logged in the security log one of our domain controllers (multiple times). It appears (?) to be a logon failure for the administrator account of a member server (STAFF1), but it is logged on a DC. If it is for the local administrator account, then my question is, why is it logged on the DC? I thought that only domain account events were logged there. 09/02/2011 23:53:39 Security 529 Failure Logon/Logoff NT AUTHORITY\SYSTEM DC0 Logon Failure: Reason: Unknown user name or bad password User Name: Administrator Domain: STAFF1 Logon Type: 3 Logon Process: NtLmSsp Authentication Package: NTLM Workstation Name: STAFF1 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: 192.168.xxx.yyy Source Port: 58493 The Domain (STAFF1) and the Address (192.168.xxx.yyy) are the same system. Any help appreciated. Thanks, Kevin

Hi Kevin, This issue occurs when the user logs off, Windows will write event ID 529 to the log file because the OS incorrectly tries to contact the domain controller (DC), despite the fact that the machine is using a local account. To solve this issue, make sure OS is up to date with the latest service pack. For more information, please refer to: Security Event 529 is logged for local user accounts http://support.microsoft.com/kb/811082 Authentication of trusted users fails on a Windows Server 2003-based server if the UPN format is used and if the value of the LmCompatibilityLevel entry is equal to or larger than 3 http://support.microsoft.com/kb/947861 Hope it helps.This posting is provided "AS IS" with no warranties, and confers no rights. Please remember to click "Mark as Answer" on the post that helps you, and to click "Unmark as Answer" if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

I've just been told that the member server is Windows 2008 and is up-to-date with security patches, so unfortunately, those bugs don't apply. Kevin

Is it possible to figure out those error message creation pattern? Like, "every 5 minutes" or "at logon"?MCITP: Enterprise Administrator; MCT; Microsoft Security Trusted Advisor; CCNA