Security log in Event Viewer shows Failure Audits from other pcs????

"Saucer Man" wrote in message
news:4818607c$0$19824$

I noticed on one of my Windows 2000 workstations that the Security log in
Event Viewer is showing Failure Audits from another PC. The other PC is a
Windows XP workstation. The failure audits are ID 681 and 529. These are
logon type errors. Why is it logging on someone elses PC?

Thanks!

Are you sure you are not misreading the event message?
Is it not telling you the workstation from which a network login
was originated, but the failed login was recorded on the machine
where the failed login was attempted ?
If not, then please post and example of these so that we can
see what you are seeing instead of just hearing how you are
understanding it.

Roger

OK. Here is what is happening. These events ...

1) The logon to account: john
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: HP-DV9608
failed. The error code was: 3221225572

2) Logon Failure:
Reason: Unknown user name or bad password
User Name: john
Domain: HP-DV9608
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HP-DV9608

...were logged in another computers Event Viewer.

Thanks.



"Roger Abell [MVP]" wrote in message
news:%

"Saucer Man" wrote in message
news:4818607c$0$19824$

I noticed on one of my Windows 2000 workstations that the Security log in
Event Viewer is showing Failure Audits from another PC. The other PC is a
Windows XP workstation. The failure audits are ID 681 and 529. These are
logon type errors. Why is it logging on someone elses PC?

Thanks!

Are you sure you are not misreading the event message?
Is it not telling you the workstation from which a network login
was originated, but the failed login was recorded on the machine
where the failed login was attempted ?
If not, then please post and example of these so that we can
see what you are seeing instead of just hearing how you are
understanding it.

Roger

So, those messages are common, and are saying that
someone/something attempted to do a network login
(lgon type 3) as an account named john onto the machine
where this was recorded from a machine that was named
HP-DV9608 that was not in a domain (domain same as
workstation name)


"Saucer Man" wrote in message
news:481b5ce3$0$19804$

OK. Here is what is happening. These events ...

1) The logon to account: john
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: HP-DV9608
failed. The error code was: 3221225572

2) Logon Failure:
Reason: Unknown user name or bad password
User Name: john
Domain: HP-DV9608
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HP-DV9608

...were logged in another computers Event Viewer.

Thanks.



"Roger Abell [MVP]" wrote in message
news:%

"Saucer Man" wrote in message
news:4818607c$0$19824$

I noticed on one of my Windows 2000 workstations that the Security log in
Event Viewer is showing Failure Audits from another PC. The other PC is
a Windows XP workstation. The failure audits are ID 681 and 529. These
are logon type errors. Why is it logging on someone elses PC?

Thanks!

Are you sure you are not misreading the event message?
Is it not telling you the workstation from which a network login
was originated, but the failed login was recorded on the machine
where the failed login was attempted ?
If not, then please post and example of these so that we can
see what you are seeing instead of just hearing how you are
understanding it.

Roger

The problem is John on machine HP-DV9608 did not try to logon to the PC
where this was logged. John only logged onto machine HP-DV9608 which is
only part of a workgroup. When he does this, these events get logged into
this OTHER machine in the domain.


"Roger Abell [MVP]" wrote in message
news:%

So, those messages are common, and are saying that
someone/something attempted to do a network login
(lgon type 3) as an account named john onto the machine
where this was recorded from a machine that was named
HP-DV9608 that was not in a domain (domain same as
workstation name)


"Saucer Man" wrote in message
news:481b5ce3$0$19804$

OK. Here is what is happening. These events ...

1) The logon to account: john
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: HP-DV9608
failed. The error code was: 3221225572

2) Logon Failure:
Reason: Unknown user name or bad password
User Name: john
Domain: HP-DV9608
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HP-DV9608

...were logged in another computers Event Viewer.

Thanks.



"Roger Abell [MVP]" wrote in message
news:%

"Saucer Man" wrote in message
news:4818607c$0$19824$

I noticed on one of my Windows 2000 workstations that the Security log
in Event Viewer is showing Failure Audits from another PC. The other PC
is a Windows XP workstation. The failure audits are ID 681 and 529.
These are logon type errors. Why is it logging on someone elses PC?

Thanks!

Are you sure you are not misreading the event message?
Is it not telling you the workstation from which a network login
was originated, but the failed login was recorded on the machine
where the failed login was attempted ?
If not, then please post and example of these so that we can
see what you are seeing instead of just hearing how you are
understanding it.

Roger

"Saucer Man" wrote in message
news:481ef72d$0$11198$

The problem is John on machine HP-DV9608 did not try to logon to the PC
where this was logged. John only logged onto machine HP-DV9608 which is
only part of a workgroup. When he does this, these events get logged into
this OTHER machine in the domain.

Something John is doing, or that starts when he logs in,
is attempting an authenticated network access to the box
where this gets logged. Check the processes running or
what use they are making of the network (consider tools
like TcpView from Sysinternals at the MS website)

"Roger Abell [MVP]" wrote in message
news:%

So, those messages are common, and are saying that
someone/something attempted to do a network login
(lgon type 3) as an account named john onto the machine
where this was recorded from a machine that was named
HP-DV9608 that was not in a domain (domain same as
workstation name)


"Saucer Man" wrote in message
news:481b5ce3$0$19804$

OK. Here is what is happening. These events ...

1) The logon to account: john
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: HP-DV9608
failed. The error code was: 3221225572

2) Logon Failure:
Reason: Unknown user name or bad password
User Name: john
Domain: HP-DV9608
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: HP-DV9608

...were logged in another computers Event Viewer.

Thanks.



"Roger Abell [MVP]" wrote in message
news:%

"Saucer Man" wrote in message
news:4818607c$0$19824$

I noticed on one of my Windows 2000 workstations that the Security log
in Event Viewer is showing Failure Audits from another PC. The other
PC is a Windows XP workstation. The failure audits are ID 681 and 529.
These are logon type errors. Why is it logging on someone elses PC?

Thanks!

Are you sure you are not misreading the event message?
Is it not telling you the workstation from which a network login
was originated, but the failed login was recorded on the machine
where the failed login was attempted ?
If not, then please post and example of these so that we can
see what you are seeing instead of just hearing how you are
understanding it.

Roger