locked
FCS Scan causing security audit failure events on DC RRS feed

  • Question

  • Hoping someone can help with this. I have been seeing massive ammounts of Failure Audits in the security logs on my Domain Controllers with the following event. I am seeing multiple entries for computers during the time that a FCS scan (Quick or Full scan) is taking place. These events start showing up shortly after a scan starts and end when the scan stops.

    By the error code (0xC0000199), it looks like the system is trying to scan network resources which I didn't think it was supposed to do.

    Has anyone else seen this?

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 680
    Date:  04/06/2009
    Time:  09:50:04 AM
    User:  NT AUTHORITY\SYSTEM
    Computer: DOMAINCONTROLLER (DC Name Edited)
    Description:
    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
     Logon account: COMPUTER$ (Computer name edited)
     Source Workstation: \\COMPUTER (Computer name edited)
     Error Code: 0xC0000199

    Thanks

    Nate

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    Monday, April 6, 2009 6:20 PM

Answers

  • Hi,

     

    Thank you for your post.

     

    According to your description, I understand that your find some error message in the security logs when a FCS scan is taking place.

     

    I did some research regarding error code “0xC0000199”- status_nologon_workstation_trust_account. That means the account used is a computer account. You may use your global user account or local user account to access this server.

     

    Regards,


    Nick Gu - MSFT
    Friday, April 10, 2009 6:18 AM

All replies

  • Hi,

     

    Thank you for your post.

     

    According to your description, I understand that your find some error message in the security logs when a FCS scan is taking place.

     

    I did some research regarding error code “0xC0000199”- status_nologon_workstation_trust_account. That means the account used is a computer account. You may use your global user account or local user account to access this server.

     

    Regards,


    Nick Gu - MSFT
    Friday, April 10, 2009 6:18 AM
  • Did you happen to find a solution to this.
    I'm having the same issue.

    We just implemented FCS SP1 and pushed it out to our client computers.
    It only seems to happen on non-admin machines.

    -Carl
    Thursday, August 20, 2009 3:05 PM