Event ID 529 – Logon Failure: Unknown User Name or Bad Password
Event ID | 529 |
Category | Logon/Logoff |
Type | Failure Audit |
Description | Logon failure – Unknown username or bad password |
When there is a logon failure, event 529 is generated on the server or workstation where the user failed to log on successfully.
This log data provides the following information:
- User Name
- Domain
- Logon Type
- Logon Process
- Authentication Package
- Workstation Name
Additionally, in Windows Server 2003, the following information is also made available:
- Caller User Name
- Caller Domain
- Caller Logon ID
- Caller Process ID
- Transited Services
- Source Network Address
- Source Port
Why does event ID 529 need to be monitored?
- To detect brute-force, dictionary, and other password guess attacks.
- To detect abnormal and possibly malicious internal activity.
- To come up with a benchmark for the account lockout threshold policy.
- To ensure compliance with regulatory mandates.
Pro Tip:
With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks logon failures, helping you meet your security, operational, and compliance needs with absolute ease.
Event 529 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Vista is 4625.
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 (On-Premise | Cloud) Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools