hcrejazz
asked on
Windows 2003 Server Event ID: 531 - Account Disabled
I keep getting these below on my domain controller. It says it's a failure audit for Event 531. Does this just mean someone tried to logon with a disabled account and it's logging it as a failed authentication? It doesn't ever give me the username it just shows NT AUTHORITY\SYSTEM. I appreciate any thoughts. :)
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 531
Date: 5/4/2005
Time: 8:19:24 PM
User: NT AUTHORITY\SYSTEM
Computer: MYDC
Description:
Logon Failure:
Reason: Account currently disabled
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: MYDC
Caller User Name: MYDC$
Caller Domain: Traders.com
Caller Logon ID:
Caller Process ID: 1844
Transited Services: -
Source Network Address: -
Source Port: -
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 531
Date: 5/4/2005
Time: 8:19:24 PM
User: NT AUTHORITY\SYSTEM
Computer: MYDC
Description:
Logon Failure:
Reason: Account currently disabled
User Name:
Domain:
Logon Type: 3
Logon Process: Authz
Authentication Package: Kerberos
Workstation Name: MYDC
Caller User Name: MYDC$
Caller Domain: Traders.com
Caller Logon ID:
Caller Process ID: 1844
Transited Services: -
Source Network Address: -
Source Port: -
This looks like some computer (not user) is connecting to the domain, but the computer object is disabled in AD. Odd.
ASKER
Ya the weird thing is we have monitoring software that shows everything in real-time so I see this event quite a bit throughout the day. Our organization has about 12,000 users and 13 dc's.
Do you have a computer named "MYDC" on the network? In Active Directory? What's the status of the AD computer object, if it exists?
ASKER
MYDC is the name of the domain controller in Active Directory. Also this failure in the eventlog appears on MYDC's event viewer.
Have you checked this:
http://support.microsoft.com/?kbid=889505
That one's a longshot, but worth checking. Also, run netdiag /fix and dcdiag /fix (from the Support Tools) and see what that tells you.
http://support.microsoft.com/?kbid=889505
That one's a longshot, but worth checking. Also, run netdiag /fix and dcdiag /fix (from the Support Tools) and see what that tells you.
http://www.microsoft.com/technet/support/ee/result.aspx?EvtSrc=Security&EvtID=531&ProdName=Windows+Operating+System&LCID=1033&ProdVer=5.0
It may just be someone trying to use a disabled domain account.
http://www.gfi.com/eventlogscan/
That might give you some insight, too.
It may just be someone trying to use a disabled domain account.
http://www.gfi.com/eventlogscan/
That might give you some insight, too.
ASKER
I figured it out. The domain controllers were having trouble contacting and grabbing the site licensing information from the main controller which was the licensing server part. I reset the licensing on the site licensing server and the errors went away. Thank you everyone for your input.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Although this did not solve my problem, the MS KB article referenced above pointed me in the right direction.
I had several scheduled tasks using the logon account of a disabled user. Might help someone else...
I had several scheduled tasks using the logon account of a disabled user. Might help someone else...
http://www.adminprep.com/forums/Event_ID_531_%2D_Account_Is_Disabled/m_124/tm.htm
Brian