Windows 2003 Server Event ID: 531 - Account Disabled

I keep getting these below on my domain controller.  It says it's a failure audit for Event 531.  Does this just mean someone tried to logon with a disabled account and it's logging it as a failed authentication?   It doesn't ever give me the username it just shows NT AUTHORITY\SYSTEM.   I appreciate any thoughts.  :)

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      531
Date:            5/4/2005
Time:            8:19:24 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MYDC
Logon Failure:
       Reason:            Account currently disabled
       User Name:      
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      MYDC
       Caller User Name:      MYDC$
       Caller Domain:
       Caller Logon ID:      
       Caller Process ID:      1844
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
Who is Participating?
DarthModConnect With a Mentor Commented:
PAQed with points (125) refunded

Community Support Moderator
BrianIT ManagerCommented:
When there is an attempt to logon using a disabled account, this specific event is created in the event log. Someone is trying to log on with accounts that are disabled.  It usually shows the user's name and the domain they are logging on to.  Here is an example of one that is more complete.  I'm not sure why yours is missing info though.

This looks like some computer (not user) is connecting to the domain, but the computer object is disabled in AD.  Odd.
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

hcrejazzAuthor Commented:
Ya the weird thing is we have monitoring software that shows everything in real-time so I see this event quite a bit throughout the day.  Our organization has about 12,000 users and 13 dc's.
Do you have a computer named "MYDC" on the network?  In Active Directory?  What's the status of the AD computer object, if it exists?
hcrejazzAuthor Commented:
MYDC is the name of the domain controller in Active Directory.  Also this failure in the eventlog appears on MYDC's event viewer.
Have you checked this:

That one's a longshot, but worth checking.  Also, run netdiag /fix and dcdiag /fix (from the Support Tools) and see what that tells you.
hcrejazzAuthor Commented:
I figured it out.  The domain controllers were having trouble contacting and grabbing the site licensing information from the main controller which was the licensing server part.  I reset the licensing on the site licensing server and the errors went away.  Thank you everyone for your input.
Although this did not solve my problem, the MS KB article referenced above pointed me in the right direction.

I had several scheduled tasks using the logon account of a disabled user.  Might help someone else...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.