Event viewer security audit.

[spool]

Hello all,

lately I am having a problem with a workstation WinXP on a network trying to logon to an other workstation Win 2000. It is a peer to peer network. I have in Win 2000 event viewer security audit set up to audit, logon/logoff attempts. All users need a password to logon. This person does not know the password to logon to the Win 2000. She says that she is not trying to log into it but everyday I get a failure to Logon notice in event viewer. I worked with her one day and she did noting to logon to the Win 2000 computer. She never ckicked on My Network Places. The next day I checked the Win 2000 computer and in event viewer there were two failure to logon events again. Time of events were the same time she was at the workstation. No one else uses this computer and she logs off when done. Event ID# 529, and the second failure ID #681,Error code 3221225572. I know that these ID's have to do with Unknown user and bad password. Why is the XP workstation trying to logon to the 2000 workstation when no one is trying to log on to it? Does anyone know what is making this happen? Thanks.

Thanks,
spool

 

[spool]

Here is an update, I have the Event Audits that I find in Security - Event Viewer.

I think XP is looking for a shared resourse but I have no idea what XP is trying to find as a shared resource on the Win 2000 computer. The user has no account on the Win 2000 just the administrator, Me. I did find out that when she logs on to XP, XP then trys to logon to Win 2000 also. The times match. I have the exact reading of the two event audits from Win 2000 that comes up everyday when she logs on to her computer, XP.

Event 1:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 7/27/2003
Time: 8:43:48 AM
User: NT AUTHORITY\SYSTEM
Computer: POOL
Description:
The logon to account: Mary
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: BLACK
failed. The error code was: 3221225572

Event 2:

Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/27/2003
Time: 8:43:48 AM
User: NT AUTHORITY\SYSTEM
Computer: POOL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Mary
Domain: BLACK
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BLACK
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 7/27/2003
Time: 8:43:48 AM
User: NT AUTHORITY\SYSTEM
Computer: POOL
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Mary
Domain: BLACK
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: BLACK

Thanks for any help,
spool

 

[spool]

Update:


I found out what the Xp computer was doing. It assigned itself as the Master Browser and was trying to refresh it's list. When XP's user logged on XP would try to get the update from the 2000 first before seaching the network. 2000 denied access logon so thats why the logon failure event.
Why is this happening we ask?

I set up the Win 2000 as a FTP Server. I disabled the Everyone Group and Anonymous Logon for security reasons. I also made it where no one or network service can log into 2000 with out the right permissions.

So now I Disabled the Browseing Service on XP and 2000 and now no more Logon Failure Events.
Don't need this service anyway.

Thanks, Tom