Implementaion of securedc.inf / Event ID 529 & 681

G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

I have a Windows 2000 network running in mixed mode
(mostly WIN2K servers) and all WIN2K desktops. We are a
state agency that is part of the larger states forest. I
imported and implemented the securedc.inf group security
policy on the network two days ago. Now I notice that
some of my WIN2K my servers are generating Security Event
IDs 529 and 681 in the Event logs. I found out that these
events are recording unsuccessful authentications /
logins. They were probably happening all along but the new
group policy is recording them. The problem is that all of
these events (529 and 681) are being generated by two
servers outside of my domain. I spoke with the admins for
the other domains and they have no idea what is going on.
They say these servers are secured in server rooms with
restricted access so I am guessing that someone is not
trying to hack into my network. The domains involved have
no relationship with our agency and although I can see the
domains in Network Neighborhood I do not have access to
them and vise versa. My question is what is happening and
why only these tow servers. There are over a 1000 servers
in the forest so there must be something configured
incorrectly on these two otherwise why wouldn't the other
servers be generating the events as well. The logs are
listed below.

/21/2004 11:36:37 AM Security
Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM
TEST_REGION123 "Logon Failure:
Reason: Unknown user name or bad password
User Name: SVC_Profile
Domain: EPS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: EPS-INF-PAR-001 "

4/21/2004 11:36:37 AM Security
Failure Audit Account Logon 681 NT AUTHORITY\SYSTEM
TEST_REGION123 The logon to account: SVC_Profile
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: EPS-INF-PAR-001
failed. The error code was: 3221225572
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Tim,

Might want to check on both domains to see if there was once a trust, that
is still in place (or at least 1/2 in place).

Also, check all service accounts on the other domain to make sure it is not
trying to authenticate back to your domain.

--
Derek Melber
BrainCore.Net
derekm@braincore.net
"Tim S." <anonymous@discussions.microsoft.com> wrote in message
news:2f0501c42896$52c898e0$a001280a@phx.gbl...
> I have a Windows 2000 network running in mixed mode
> (mostly WIN2K servers) and all WIN2K desktops. We are a
> state agency that is part of the larger states forest. I
> imported and implemented the securedc.inf group security
> policy on the network two days ago. Now I notice that
> some of my WIN2K my servers are generating Security Event
> IDs 529 and 681 in the Event logs. I found out that these
> events are recording unsuccessful authentications /
> logins. They were probably happening all along but the new
> group policy is recording them. The problem is that all of
> these events (529 and 681) are being generated by two
> servers outside of my domain. I spoke with the admins for
> the other domains and they have no idea what is going on.
> They say these servers are secured in server rooms with
> restricted access so I am guessing that someone is not
> trying to hack into my network. The domains involved have
> no relationship with our agency and although I can see the
> domains in Network Neighborhood I do not have access to
> them and vise versa. My question is what is happening and
> why only these tow servers. There are over a 1000 servers
> in the forest so there must be something configured
> incorrectly on these two otherwise why wouldn't the other
> servers be generating the events as well. The logs are
> listed below.
>
> /21/2004 11:36:37 AM Security
> Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM
> TEST_REGION123 "Logon Failure:
> Reason: Unknown user name or bad password
> User Name: SVC_Profile
> Domain: EPS
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: EPS-INF-PAR-001 "
>
> 4/21/2004 11:36:37 AM Security
> Failure Audit Account Logon 681 NT AUTHORITY\SYSTEM
> TEST_REGION123 The logon to account: SVC_Profile
> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
> from workstation: EPS-INF-PAR-001
> failed. The error code was: 3221225572
>
>
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.group_policy (More info?)

Derek,

Thanks for the reply. There is no trust relationship and
there never was. I have the network admin at the other
agency scheck the service accounts and he says they are
all properly configured. I discovered that this problem is
happening on my two SQL servers (SQL7) and on a Test 2000
server box I just built a week ago. It is not happening on
my other 2000 or NT servers . The events happen every 45
minutes.

>-----Original Message-----
>Tim,
>
>Might want to check on both domains to see if there was
once a trust, that
>is still in place (or at least 1/2 in place).
>
>Also, check all service accounts on the other domain to
make sure it is not
>trying to authenticate back to your domain.
>
>--
>Derek Melber
>BrainCore.Net
>derekm@braincore.net
>"Tim S." <anonymous@discussions.microsoft.com> wrote in
message
>news:2f0501c42896$52c898e0$a001280a@phx.gbl...
>> I have a Windows 2000 network running in mixed mode
>> (mostly WIN2K servers) and all WIN2K desktops. We are a
>> state agency that is part of the larger states forest. I
>> imported and implemented the securedc.inf group security
>> policy on the network two days ago. Now I notice that
>> some of my WIN2K my servers are generating Security
Event
>> IDs 529 and 681 in the Event logs. I found out that
these
>> events are recording unsuccessful authentications /
>> logins. They were probably happening all along but the
new
>> group policy is recording them. The problem is that all
of
>> these events (529 and 681) are being generated by two
>> servers outside of my domain. I spoke with the admins
for
>> the other domains and they have no idea what is going
on.
>> They say these servers are secured in server rooms with
>> restricted access so I am guessing that someone is not
>> trying to hack into my network. The domains involved
have
>> no relationship with our agency and although I can see
the
>> domains in Network Neighborhood I do not have access to
>> them and vise versa. My question is what is happening
and
>> why only these tow servers. There are over a 1000
servers
>> in the forest so there must be something configured
>> incorrectly on these two otherwise why wouldn't the
other
>> servers be generating the events as well. The logs are
>> listed below.
>>
>> /21/2004 11:36:37 AM Security
>> Failure Audit Logon/Logoff 529 NT AUTHORITY\SYSTEM
>> TEST_REGION123 "Logon Failure:
>> Reason: Unknown user name or bad password
>> User Name: SVC_Profile
>> Domain: EPS
>> Logon Type: 3
>> Logon Process: NtLmSsp
>> Authentication Package: NTLM
>> Workstation Name: EPS-INF-PAR-001 "
>>
>> 4/21/2004 11:36:37 AM Security
>> Failure Audit Account Logon 681 NT AUTHORITY\SYSTEM
>> TEST_REGION123 The logon to account: SVC_Profile
>> by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
>> from workstation: EPS-INF-PAR-001
>> failed. The error code was: 3221225572
>>
>>
>>
>
>
>.
>