• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 10794
  • Last Modified:

Windows 2003 Server Event ID: 531 - Account Disabled

I keep getting these below on my domain controller.  It says it's a failure audit for Event 531.  Does this just mean someone tried to logon with a disabled account and it's logging it as a failed authentication?   It doesn't ever give me the username it just shows NT AUTHORITY\SYSTEM.   I appreciate any thoughts.  :)

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      531
Date:            5/4/2005
Time:            8:19:24 PM
User:            NT AUTHORITY\SYSTEM
Computer:      MYDC
Description:
Logon Failure:
       Reason:            Account currently disabled
       User Name:      
       Domain:            
       Logon Type:      3
       Logon Process:      Authz  
       Authentication Package:      Kerberos
       Workstation Name:      MYDC
       Caller User Name:      MYDC$
       Caller Domain:      Traders.com
       Caller Logon ID:      
       Caller Process ID:      1844
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
hcrejazz
Asked:
hcrejazz
1 Solution
 
mkbeanCommented:
When there is an attempt to logon using a disabled account, this specific event is created in the event log. Someone is trying to log on with accounts that are disabled.  It usually shows the user's name and the domain they are logging on to.  Here is an example of one that is more complete.  I'm not sure why yours is missing info though.
http://www.adminprep.com/forums/Event_ID_531_%2D_Account_Is_Disabled/m_124/tm.htm


Brian
0
 
ckratschCommented:
This looks like some computer (not user) is connecting to the domain, but the computer object is disabled in AD.  Odd.
0
 
hcrejazzAuthor Commented:
Ya the weird thing is we have monitoring software that shows everything in real-time so I see this event quite a bit throughout the day.  Our organization has about 12,000 users and 13 dc's.
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
ckratschCommented:
Do you have a computer named "MYDC" on the network?  In Active Directory?  What's the status of the AD computer object, if it exists?
0
 
hcrejazzAuthor Commented:
MYDC is the name of the domain controller in Active Directory.  Also this failure in the eventlog appears on MYDC's event viewer.
0
 
ckratschCommented:
Have you checked this:
http://support.microsoft.com/?kbid=889505

That one's a longshot, but worth checking.  Also, run netdiag /fix and dcdiag /fix (from the Support Tools) and see what that tells you.
0
 
ckratschCommented:
0
 
hcrejazzAuthor Commented:
I figured it out.  The domain controllers were having trouble contacting and grabbing the site licensing information from the main controller which was the licensing server part.  I reset the licensing on the site licensing server and the errors went away.  Thank you everyone for your input.
0
 
DarthModCommented:
PAQed with points (125) refunded

DarthMod
Community Support Moderator
0
 
snowdog_2112Commented:
Although this did not solve my problem, the MS KB article referenced above pointed me in the right direction.

I had several scheduled tasks using the logon account of a disabled user.  Might help someone else...
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now