Solved

Troubleshooting Event ID 539

Posted on 2007-04-01
16
527 Views
Last Modified: 2008-06-01
Hello,

I have a customer with SBS2003 who receives lots of Event ID 539 Account Lockouts every sunday (somewhere between 10 and 20 messages from 9:30 am to 7 pm). I am having a difficult time tracking down the problem, because the account it is citing as being the offender is a users account and it is not locked out when the event ID claims it is. Also, I checked all services, and none of them use that account for authentication.

The event is giving me this info:

Logon Failure:
       Reason:            Account locked out
       User Name:      JACK
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBSSRVR
       Caller User Name:      SBSSRVR$
       Caller Domain:      BIGAPPLEAUTO
       Caller Logon ID:      (0x0,0x3E7)

Which doesn't help much at all after a lot of Google time.

I need a more effective way to troubleshoot this problem ... are there any other ways of logging logon attempts where by I can get more detail about the events that are causing this problem?

Thank you,

Mike Sims
0
Comment
Question by:mikesims10670
  • 5
  • 4
  • 3
  • +3
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18834207
0
 
LVL 13

Accepted Solution

by:
Kini pradeep earned 168 total points
ID: 18834526
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

you would also want to disable any 3rd party services (non MS) and then check, as you mentioned that the account does not get locked.
0
 
LVL 10

Expert Comment

by:stafi
ID: 18835066
as per microsoft:

A large number of these events logged in Event Viewer usually indicate that a service account password is configured incorrectly or a program password does not match the password on the server. This might be caused by a password-guessing attack against an account that has account lock out enabled, but this is highly unusual.

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=539&EvtSrc=Security&LCID=1033
0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18835717
I would assume that perhaps these are also being seen with event 529?

This is quite normal, and can be caused by a number of things... but usually the machine account password is out of sync.  Please see my answer to this issue here:  http:Q_22471975.html

Jeff
TechSoEasy

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18835736
One other thought... are any of the SERVICES running under that user's account?  If so, that should probably be changed.  Generally if you need to run a service under a user account it's best to create a user account just for that purpose, and then give it a password that's VERY complex... and set it to never expire.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:mikesims10670
ID: 18837070
TechSoEasy,

YES, Event 529's are also in the event log.

I checked all of the services and none of them are running under that users account on the server. Would this event be generated at the server if a workstation service were configured to use that account? In other words, should I check ALL of the workstations to make sure that none of the services are configured to use that users account?

And do you have any idea why the event would get triggered while the account remained unlocked?

Mike
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18837239
There could be several reasons for the lockouts as discussed, even a PDA trying to sync automatically, with the wrong password, but the curious part is the fact that it is only during a particular period of time, the same day each week. This would tend to indicate a scheduled event that likely is trying to run, using an old password. Have you checked all computers used by this user for any scheduled events?
0
Scale it in WD Gold

With up to ten times the workload capacity of desktop drives, WD Gold hard drives employ advanced technology to deliver among the best in reliability, capacity, power efficiency and performance.

 
LVL 1

Author Comment

by:mikesims10670
ID: 18840922
No,

I haven't checked all of the PCs ... it would be nice to have a utility that would summarize all services that use accounts ... as far as TSR type apps, I suppose I'll just have to look through the registry run keys and startup folders for any possible culprits.

Mike Sims
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18841032
How many PC's might this user use? If only a couple, shut them down over the weekend so the scheduled events, if any, don't run. If that cures the problem, then hunt for the culprit. <G>
0
 
LVL 1

Author Comment

by:mikesims10670
ID: 18841065
Rob,

Excellent suggestion ... he also has a computer at home that is always on a nailed up firewall to firewall tunnel ... it might be the culprit too ... but I can take down the tunnel next Sunday.

Mike
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18842384
Let us know how it goes. Good luck with it.
--Rob
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 166 total points
ID: 18856345
"And do you have any idea why the event would get triggered while the account remained unlocked?"

This is from http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

"An account that is locked out may still be able to gain access to some resources if the user has a valid Kerberos ticket to the resource. The ability to access the resource ends when the Kerberos ticket expires. However, neither a user who is locked out nor a computer account can renew the ticket. Kerberos cannot grant a new ticket to the resource because the account is locked out."

I'm wondering if there is a mapped drive or a program that accesses a UNC share that is configured on his workstation with an old password.  Or... is there a LOCAL account on his workstation with the same username?

Jeff
TechSoEasy
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 166 total points
ID: 18857348
Lots of reasons mikesims10670 could be getting the lock out 'messages', but why only during a few hours on one day. That is the odd part. I would think most reasons would cause errors/messages at random time through the week, unless that is the only time a particular PC is used.
0
 
LVL 1

Author Comment

by:mikesims10670
ID: 18859562
Actually, they did get a few of these messages the night before last ... But they tend to flood the event logs on Sundays. I'm stuck on other projects at the moment, so I wont be able to implement any of these suggestions for at least another 5 to 7 days.

Mike
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 19707835

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
SPLIT: RobWill {18857348} & kprad {18834526} & TechSoEasy {18856345}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Chris-Dent
Experts Exchange Cleanup Volunteer
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Because virtualization becomes more and more common, and, with Microsoft Hyper-V included in Windows Server at no additional costs, and, most server hardware nowadays is more than capable of running a physical Small Business Server (SBS) 2008 or 201…
Learn about cloud computing and its benefits for small business owners.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now