Link to home
Start Free TrialLog in
Avatar of hcrejazz
hcrejazz

asked on

Windows 2003 Server Event ID: 531 - Account Disabled

I keep getting these below on my domain controller.  It says it's a failure audit for Event 531.  Does this just mean someone tried to logon with a disabled account and it's logging it as a failed authentication?   It doesn't ever give me the username it just shows NT AUTHORITY\SYSTEM.   I appreciate any thoughts.  :)

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      531
Date:            5/4/2005
Time:            8:19:24 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MYDC
Description:
Logon Failure:
       Reason:            Account currently disabled
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      MYDC
       Caller User Name:      MYDC$
       Caller Domain:      Traders.com
       Caller Logon ID:      
       Caller Process ID:      1844
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
Avatar of Brian
Brian
Flag of United States of America image

When there is an attempt to logon using a disabled account, this specific event is created in the event log. Someone is trying to log on with accounts that are disabled.  It usually shows the user's name and the domain they are logging on to.  Here is an example of one that is more complete.  I'm not sure why yours is missing info though.
http://www.adminprep.com/forums/Event_ID_531_%2D_Account_Is_Disabled/m_124/tm.htm


Brian
This looks like some computer (not user) is connecting to the domain, but the computer object is disabled in AD.  Odd.
Avatar of hcrejazz
hcrejazz

ASKER

Ya the weird thing is we have monitoring software that shows everything in real-time so I see this event quite a bit throughout the day.  Our organization has about 12,000 users and 13 dc's.
Do you have a computer named "MYDC" on the network?  In Active Directory?  What's the status of the AD computer object, if it exists?
MYDC is the name of the domain controller in Active Directory.  Also this failure in the eventlog appears on MYDC's event viewer.
Have you checked this:
http://support.microsoft.com/?kbid=889505

That one's a longshot, but worth checking.  Also, run netdiag /fix and dcdiag /fix (from the Support Tools) and see what that tells you.
I figured it out.  The domain controllers were having trouble contacting and grabbing the site licensing information from the main controller which was the licensing server part.  I reset the licensing on the site licensing server and the errors went away.  Thank you everyone for your input.
ASKER CERTIFIED SOLUTION
Avatar of DarthMod
DarthMod
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Although this did not solve my problem, the MS KB article referenced above pointed me in the right direction.

I had several scheduled tasks using the logon account of a disabled user.  Might help someone else...