Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Failure Audit|
Reason: User not allowed to logon at this computer
User Name: <user name>
Domain: <domain name>
Logon Type: <logon type>
Logon Process: <process>
Authentication Package: <package>
Workstation Name: <workstation name>
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is an authentication protocol?
Caused by the HKLM\SYSTEM\CurrentControlSet\Control\Lsa\CrashOnAuditFail set to a value of 2. For details on the CrashOnAuditFail see ME757348.
If you have restricted an account to only logon from specific machines (via UserID properties -> Account tab -> Log On To... button), and then the account tries to authenticate from a machine not in the specific list, error 533 will be logged. The "workstation name" field in the error will indicate the machine or IP address from which the login attempt is coming.
This error may occur if the domain user account that is used for anonymous access in IIS cannot log on to the IIS Web server. See ME909887 to solve this problem.
See ME318319 for a situation in which this event occurs.
The logon attempt failed. The user account used to log on is not permitted to log on from this computer. This restriction is configured on the user's domain account. See MSW2KDB for more details on this event.
Event generated by a logon failure due to a user not allowed to logon at this computer.
|Private comment: Subscribers only. See example of private comment|
|Links: Online Analysis of Security Event Log|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (2) - More links...|
Send comments or solutions
- Notify me when updated