Monitor unlimited number of servers
Filter log events
Create email and web-based reports

Direct access to Microsoft articles
Customized keywords for major search engines
Access to premium content

Event ID: 534 Source: Security

Source
Description
Logon Failure:
Reason: The user has not been granted the requested logon type at this machine
User Name: <user name>
Domain: <domain name>
Logon Type: <type>
Logon Process: <process>
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <workstation name>
Comments
 
This problem may occur if the Authenticated Users group has been removed from the Access this computer from the network user right. See ME924173 to troubleshoot this problem.

This error may occur if the user account that is used for anonymous access is denied access to the Web Server from the network. See ME909887 to solve this problem.
In my case, Backup Exec was configured to run under the Administrator account which was not granted permissions to run as a service. Rather then grant that permission I configured Backup Exec to run under the Local System account. Since then, the error has not re-occurred.
In one case, on Windows 2003 SP1, the ASP.NET State service (the ASPNET account was named in the message) could no longer be started on any computer in the domain that was not a domain controller, after changes were made to the Default Domain Policy. It was accompanied by EventID 7000 from source Service Control Manager, service ASP.NET State, and EventID 7041 from source Service Control Manager, service aspnet_state.
The "Default Domain Policy" policy setting named "Log on as a service" had been empty, but when entries were added for some groups, this Event ID appeared when I tried to start the "ASP.NET State service".
To resolve this, the "Default Domain Policy" policy setting named "Log on as a service" had "ASPNET" added to its list. When Group Policy was refreshed on the computer that had the problem, the service could be started without problem.

In another case, this started for an account that was used to run a Task Scheduler job, after Group Policy was configured. The "Default Domain Policy" policy setting named "Log on as a batch job" had been empty, but when entries were added for some groups, this Event ID appeared when I tried to start the Scheduled Task.
To resolve this, the "Default Domain Policy" policy setting named "Log on as a batch job" had the account added to its list. When Group Policy was refreshed on the computer that had the problem, the Scheduled Task ran without a problem.
This may happen when an account that is not a member of the IIS_WPG, is configured as the Identity for an Application Pool on IIS. Note that this must be the LOCAL IIS_WPG group. If you are in a domain, make sure the account is a member of the local IIS_WPG on the IIS machine, or make the domain IIS_WPG group a member of the local IIS_WPG group. See the link to “Configuring Worker Process Identities” for additional information.
See ME841399 for a hotfix applicable to Microsoft Windows XP.

As per Microsoft: "This event record indicates that an attempt was made to log on, but the local security policy of the computer does not allow the user to log on in the requested fashion (such as interactively)". See MSW2KDB for more details on this issue.

If you receive this error when you try to log on to a computer that is running Microsoft Windows Small Business Server 2003 by using the built-in Administrator account, or by using an account that is a member of the Administrators group, see ME841188 for details on fixing this error.


On a Windows XP box that was upgraded from Win2K while still being a member of a 2K domain, the Remote Desktop Connection did not work. In the error message “Logon Type: 10” was shown. To correct this I did the following:
1. I added the user(s) to the local "Remote Desktop Users" group.
2. I modified the local computer policy, Computer Config, Windows Settings, Security, Local, User Rights, “Allow Logon Through Terminal Services” to include the group above.
3. I forced a GPUPDATE.
This error may be displayed when you are trying to connect to network share because of the TROJ_NENET.A virus or others like. The virus makes changes to the local security policy in Win2k. To resolve this problem, on the remote computer, select Administrative Tools->Local Security Settings->Local Policies->User Rights Assignment, right-click on ''Access this computer from the network->Properties->Add Users or Groups, and add everyone or any users you want to be able to access the computer from the network.
Our problem was that the Remote Administrator (r_admin) service worked only when started with any DomainAdmin account and did not worked with the LocalSystem account. There was a message in Security log on domain controller (one per each try of service start). In ME257346 Microsoft said: “Users cannot log on to the domain if Everyone is missing the "Access this computer through the network" right. If you want to remove the Everyone group, you should replace it with Authenticated Users, Enterprise Domain Controllers, System, and Administrators”. We added only Domain Controllers and now everything is OK.
If this event occurs in conjunction with IIS returning “HTTP Error 401.1 - Unauthorized: Access is denied due to invalid credentials”, then the anonymous IIS account (IUSR_Servername) may be assigned to "Deny logon locally" and/or "Deny access to this computer from the network". To check this, open the Local Security Policy MMC. Go to Local Policies -> User Rights Assignment. Find "Deny logon locally" and "Deny access to this computer from the network" and verify that IUSR_Servername is not in either one. Also, make sure that IUSR_Servername is not in any groups assigned to either.
MS article ME159930 had our solution to this problem, where Windows 95 workstations suddenly could not logon to our NT 4.0 Server. The solution was as follows:
Start User Manager for Domains.
Select "User Rights" from the "Policy" option on the menu bar.
Re-add the Everyone group to the user right, "Access this computer from the network."
A logon failure due to the fact that the user has not been granted the requested logon type at this machine. The user attempted to log on with a logon type that is not allowed, such as network, interactive, batch, service, or remote interactive.

Windows Event Log Analysis Splunk App

Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net.

Read more...

 

Cisco ASA Log Analyzer Splunk App

Obtain enhanced visibility into Cisco ASA firewall logs using the free Firegen for Cisco ASA Splunk App. Take advantage of dashboards built to optimize the threat analysis process.

Read more...