Microsoft KB Archive/811082

= Security Event 529 is logged for local user accounts =

Article ID: 811082

Article Last Modified on 7/24/2007

-

APPLIES TO


 * Microsoft Windows XP Professional
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)

-





SYMPTOMS
Consider the following scenario. A Microsoft Windows XP Professional-based member computer is joined to a domain controller. In the domain controller, the audit policy is turned on for logon failures. When a local user on the member computer logs off, the following event is logged two times in the Security log in the domain controller:

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date:

Time:

User: NT AUTHORITY\SYSTEM

Computer:

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name:

Domain:

Logon Type: 3

Logon Process: KSecDD

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

Workstation Name:

For more information, see Help and Support Center at http://support.microsoft.com.

Consider the following scenario. A Microsoft Windows Server 2003-based member computer is joined to a domain controller. In the domain controller, the audit policy is turned on for logon failures. When a local user on the member computer logs off, the following event is logged in the Security log in the domain controller:

Event Type: Failure Audit

Event Source: Security

Event Category: Logon/Logoff

Event ID: 529

Date:

Time:

User: NT AUTHORITY\SYSTEM

Computer:

Description:

Logon Failure:

Reason: Unknown user name or bad password

User Name:

Domain:

Logon Type: 3

Logon Process: NtLmSsp

Authentication Package: NTLM

Workstation Name:

For more information, see Help and Support Center at http://support.microsoft.com.



CAUSE
When a user logs off, Windows XP or Windows Server 2003 re-reads the user record for updated information to optimize the next logon process. However, Windows ignores the fact that the user is from the local SAM database and instead tries to contact the domain if the computer is a member of a domain.



Windows XP
To resolve this problem, obtain the latest service pack for Microsoft Windows XP.

Service pack information
For more information about how to obtain the latest Windows XP service pack, click the following article number to view the article in the Microsoft Knowledge Base:

322389 How to obtain the latest Windows XP service pack

For more information about the list of fixes included in Windows XP Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:

811113 List of fixes included in Windows XP Service Pack 2

Windows Server 2003
To resolve this problem, do one of the following:
 * Obtain the latest service pack for Microsoft Windows Server 2003.
 * Apply the hotfix that is mentioned in this article to the Windows Server 2003-based member computer.

Service pack information
For more information about how to obtain the latest service pack for Windows Server 2003, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
No prerequisites are required.

Restart requirement
You must restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix does not replace any other hotfixes.

File information
The English version of this hotfix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Windows Server 2003, Itanium-based Systems
  Date         Time   Version           Size     File name      Platform 08-Jul-2005 13:17  5.2.3790.367      640,000  Winlogon.exe   IA-64 08-Jul-2005 13:26  5.2.3790.367       67,072  Arpidfix.exe   IA-64 24-Feb-2005 15:22  6.1.22.4          639,712  Updspapi.dll   IA-64

Windows Server 2003, 32-bit versions
  Date         Time   Version           Size     File name -  11-Jul-2005  19:55  5.2.3790.367      497,152  Winlogon.exe 09-Jul-2005 02:02  5.2.3790.367       30,208  Arpidfix.exe 05-Mar-2005 01:30  6.1.22.4          371,936  Updspapi.dll



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
For more information about the standard terminology that is used to describe Microsoft software updates, click the following article number to view the article in the Microsoft Knowledge Base:

824684 Description of the standard terminology that is used to describe Microsoft software updates

Keywords: kbhotfixserver kbqfe kbbug kbfix kbqfe kbwinserv2003presp1fix kbpubtypekc KB811082

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.