Event 531 "CarlS via WinServerKB.com" <u35559[ at ]uwe> 05.07.2007 18:09:40 We are getting the following event on only one of our many servers. Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 531 Date: 6/27/2007 Time: 11:25:00 PM User: NT AUTHORITY\SYSTEM Computer: {computername} Description: Logon Failure: Reason: Account currently disabled User Name: Domain: Logon Type: 3 Logon Process: Authz Authentication Package: Kerberos Workstation Name: {computername} Caller User Name: {computername}$ Caller Domain: {domain} Caller Logon ID: (0x0,0x3E7) Caller Process ID: 824 Transited Services: - Source Network Address: - Source Port: - (I have replaced references to the computer name and domain, for security reasons) This happens every time Symantec System Recovery runs a job and when Veritas Backup Exec runs a job. There are 2 possible accounts that can be set up for these items. (User1 and User2) Currenly User1 is disabled, and User2 is being used by the services. When it is time to change passwords, we would activate User1, and set a new password. Then we would proceed to change all the systems to use User1 for it's services. Once all the systems are changed, we will disable User2. The next time the password cycle comes around, we do the same, but change User2 to be the active account. The last time we did this, we only had the Veritas Backup Exec agent running. Since then, we have installed the System Recovery agent. Everything has been fine, until this machine was rebooted after upgrading our domain to active directory. Now we get this error. If I re-enable User1, the problem goes away. I have looked throughout the registry, deleted and re-created the backup jobs, scoured the web, and have a case open with Symantec. So far, I can not find where User1 may still be defined. Any help in pointing me in the right direction would be greatly appreciated. -- Message posted via WinServerKB.com http://www.winserverkb.com/Uwe/Forums.aspx/windows-server-security/200707/1

Re: Event 531 "CarlS via WinServerKB.com" <u35559[ at ]uwe> 06.07.2007 19:18:27 In troubleshooting this issue, I ran a backup of the system state with NTbackup. This error is appearing when I run that as well. Any thoughts? CarlS wrote: [Quoted Text] >We are getting the following event on only one of our many servers. > >Event Type: Failure Audit >Event Source: Security >Event Category: Logon/Logoff >Event ID: 531 >Date: 6/27/2007 >Time: 11:25:00 PM >User: NT AUTHORITY\SYSTEM >Computer: {computername} >Description: >Logon Failure: > Reason: Account currently disabled > User Name: > Domain: > Logon Type: 3 > Logon Process: Authz > Authentication Package: Kerberos > Workstation Name: {computername} > Caller User Name: {computername}$ > Caller Domain: {domain} > Caller Logon ID: (0x0,0x3E7) > Caller Process ID: 824 > Transited Services: - > Source Network Address: - > Source Port: - > >(I have replaced references to the computer name and domain, for security >reasons) > >This happens every time Symantec System Recovery runs a job and when Veritas >Backup Exec runs a job. There are 2 possible accounts that can be set up for >these items. (User1 and User2) Currenly User1 is disabled, and User2 is being >used by the services. When it is time to change passwords, we would activate >User1, and set a new password. Then we would proceed to change all the >systems to use User1 for it's services. Once all the systems are changed, we >will disable User2. The next time the password cycle comes around, we do the >same, but change User2 to be the active account. > >The last time we did this, we only had the Veritas Backup Exec agent running. >Since then, we have installed the System Recovery agent. Everything has been >fine, until this machine was rebooted after upgrading our domain to active >directory. Now we get this error. If I re-enable User1, the problem goes away. > >I have looked throughout the registry, deleted and re-created the backup jobs, >scoured the web, and have a case open with Symantec. So far, I can not find >where User1 may still be defined. > >Any help in pointing me in the right direction would be greatly appreciated. -- Message posted via http://www.winserverkb.com