Solved

Troubleshooting Event ID 539

Posted on 2007-04-01
16
525 Views
Last Modified: 2008-06-01
Hello,

I have a customer with SBS2003 who receives lots of Event ID 539 Account Lockouts every sunday (somewhere between 10 and 20 messages from 9:30 am to 7 pm). I am having a difficult time tracking down the problem, because the account it is citing as being the offender is a users account and it is not locked out when the event ID claims it is. Also, I checked all services, and none of them use that account for authentication.

The event is giving me this info:

Logon Failure:
       Reason:            Account locked out
       User Name:      JACK
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBSSRVR
       Caller User Name:      SBSSRVR$
       Caller Domain:      BIGAPPLEAUTO
       Caller Logon ID:      (0x0,0x3E7)

Which doesn't help much at all after a lot of Google time.

I need a more effective way to troubleshoot this problem ... are there any other ways of logging logon attempts where by I can get more detail about the events that are causing this problem?

Thank you,

Mike Sims
0
Comment
Question by:mikesims10670
  • 5
  • 4
  • 3
  • +3
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
0
 
LVL 13

Accepted Solution

by:
Kini pradeep earned 168 total points
Comment Utility
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

you would also want to disable any 3rd party services (non MS) and then check, as you mentioned that the account does not get locked.
0
 
LVL 10

Expert Comment

by:stafi
Comment Utility
as per microsoft:

A large number of these events logged in Event Viewer usually indicate that a service account password is configured incorrectly or a program password does not match the password on the server. This might be caused by a password-guessing attack against an account that has account lock out enabled, but this is highly unusual.

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=539&EvtSrc=Security&LCID=1033
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
I would assume that perhaps these are also being seen with event 529?

This is quite normal, and can be caused by a number of things... but usually the machine account password is out of sync.  Please see my answer to this issue here:  http:Q_22471975.html

Jeff
TechSoEasy

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
Comment Utility
One other thought... are any of the SERVICES running under that user's account?  If so, that should probably be changed.  Generally if you need to run a service under a user account it's best to create a user account just for that purpose, and then give it a password that's VERY complex... and set it to never expire.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:mikesims10670
Comment Utility
TechSoEasy,

YES, Event 529's are also in the event log.

I checked all of the services and none of them are running under that users account on the server. Would this event be generated at the server if a workstation service were configured to use that account? In other words, should I check ALL of the workstations to make sure that none of the services are configured to use that users account?

And do you have any idea why the event would get triggered while the account remained unlocked?

Mike
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
There could be several reasons for the lockouts as discussed, even a PDA trying to sync automatically, with the wrong password, but the curious part is the fact that it is only during a particular period of time, the same day each week. This would tend to indicate a scheduled event that likely is trying to run, using an old password. Have you checked all computers used by this user for any scheduled events?
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 1

Author Comment

by:mikesims10670
Comment Utility
No,

I haven't checked all of the PCs ... it would be nice to have a utility that would summarize all services that use accounts ... as far as TSR type apps, I suppose I'll just have to look through the registry run keys and startup folders for any possible culprits.

Mike Sims
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
How many PC's might this user use? If only a couple, shut them down over the weekend so the scheduled events, if any, don't run. If that cures the problem, then hunt for the culprit. <G>
0
 
LVL 1

Author Comment

by:mikesims10670
Comment Utility
Rob,

Excellent suggestion ... he also has a computer at home that is always on a nailed up firewall to firewall tunnel ... it might be the culprit too ... but I can take down the tunnel next Sunday.

Mike
0
 
LVL 77

Expert Comment

by:Rob Williams
Comment Utility
Let us know how it goes. Good luck with it.
--Rob
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 166 total points
Comment Utility
"And do you have any idea why the event would get triggered while the account remained unlocked?"

This is from http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

"An account that is locked out may still be able to gain access to some resources if the user has a valid Kerberos ticket to the resource. The ability to access the resource ends when the Kerberos ticket expires. However, neither a user who is locked out nor a computer account can renew the ticket. Kerberos cannot grant a new ticket to the resource because the account is locked out."

I'm wondering if there is a mapped drive or a program that accesses a UNC share that is configured on his workstation with an old password.  Or... is there a LOCAL account on his workstation with the same username?

Jeff
TechSoEasy
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 166 total points
Comment Utility
Lots of reasons mikesims10670 could be getting the lock out 'messages', but why only during a few hours on one day. That is the odd part. I would think most reasons would cause errors/messages at random time through the week, unless that is the only time a particular PC is used.
0
 
LVL 1

Author Comment

by:mikesims10670
Comment Utility
Actually, they did get a few of these messages the night before last ... But they tend to flood the event logs on Sundays. I'm stuck on other projects at the moment, so I wont be able to implement any of these suggestions for at least another 5 to 7 days.

Mike
0
 
LVL 70

Expert Comment

by:Chris Dent
Comment Utility

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
SPLIT: RobWill {18857348} & kprad {18834526} & TechSoEasy {18856345}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Chris-Dent
Experts Exchange Cleanup Volunteer
0

Featured Post

Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

Join & Write a Comment

I work for a company that primarily works with small businesses as their outsourced IT vendor. As such the majority of these customers utilize some version of Small Business Server. Due to the economics of running a small business, many of these cus…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now