I have a customer with SBS2003 who receives lots of Event ID 539 Account Lockouts every sunday (somewhere between 10 and 20 messages from 9:30 am to 7 pm). I am having a difficult time tracking down the problem, because the account it is citing as being the offender is a users account and it is not locked out when the event ID claims it is. Also, I checked all services, and none of them use that account for authentication.
The event is giving me this info:
Reason: Account locked out
User Name: JACK
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: SBSSRVR
Caller User Name: SBSSRVR$
Caller Domain: BIGAPPLEAUTO
Caller Logon ID: (0x0,0x3E7)
Which doesn't help much at all after a lot of Google time.
I need a more effective way to troubleshoot this problem ... are there any other ways of logging logon attempts where by I can get more detail about the events that are causing this problem?