Solved

Troubleshooting Event ID 539

Posted on 2007-04-01
16
529 Views
Last Modified: 2008-06-01
Hello,

I have a customer with SBS2003 who receives lots of Event ID 539 Account Lockouts every sunday (somewhere between 10 and 20 messages from 9:30 am to 7 pm). I am having a difficult time tracking down the problem, because the account it is citing as being the offender is a users account and it is not locked out when the event ID claims it is. Also, I checked all services, and none of them use that account for authentication.

The event is giving me this info:

Logon Failure:
       Reason:            Account locked out
       User Name:      JACK
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBSSRVR
       Caller User Name:      SBSSRVR$
       Caller Domain:      BIGAPPLEAUTO
       Caller Logon ID:      (0x0,0x3E7)

Which doesn't help much at all after a lot of Google time.

I need a more effective way to troubleshoot this problem ... are there any other ways of logging logon attempts where by I can get more detail about the events that are causing this problem?

Thank you,

Mike Sims
0
Comment
Question by:mikesims10670
  • 5
  • 4
  • 3
  • +3
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18834207
0
 
LVL 13

Accepted Solution

by:
Kini pradeep earned 168 total points
ID: 18834526
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

you would also want to disable any 3rd party services (non MS) and then check, as you mentioned that the account does not get locked.
0
 
LVL 10

Expert Comment

by:stafi
ID: 18835066
as per microsoft:

A large number of these events logged in Event Viewer usually indicate that a service account password is configured incorrectly or a program password does not match the password on the server. This might be caused by a password-guessing attack against an account that has account lock out enabled, but this is highly unusual.

http://www.microsoft.com/technet/support/ee/transform.aspx?ProdName=Windows%20Operating%20System&ProdVer=5.2&EvtID=539&EvtSrc=Security&LCID=1033
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18835717
I would assume that perhaps these are also being seen with event 529?

This is quite normal, and can be caused by a number of things... but usually the machine account password is out of sync.  Please see my answer to this issue here:  http:Q_22471975.html

Jeff
TechSoEasy

0
 
LVL 74

Expert Comment

by:Jeffrey Kane - TechSoEasy
ID: 18835736
One other thought... are any of the SERVICES running under that user's account?  If so, that should probably be changed.  Generally if you need to run a service under a user account it's best to create a user account just for that purpose, and then give it a password that's VERY complex... and set it to never expire.

Jeff
TechSoEasy
0
 
LVL 1

Author Comment

by:mikesims10670
ID: 18837070
TechSoEasy,

YES, Event 529's are also in the event log.

I checked all of the services and none of them are running under that users account on the server. Would this event be generated at the server if a workstation service were configured to use that account? In other words, should I check ALL of the workstations to make sure that none of the services are configured to use that users account?

And do you have any idea why the event would get triggered while the account remained unlocked?

Mike
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18837239
There could be several reasons for the lockouts as discussed, even a PDA trying to sync automatically, with the wrong password, but the curious part is the fact that it is only during a particular period of time, the same day each week. This would tend to indicate a scheduled event that likely is trying to run, using an old password. Have you checked all computers used by this user for any scheduled events?
0
 
LVL 1

Author Comment

by:mikesims10670
ID: 18840922
No,

I haven't checked all of the PCs ... it would be nice to have a utility that would summarize all services that use accounts ... as far as TSR type apps, I suppose I'll just have to look through the registry run keys and startup folders for any possible culprits.

Mike Sims
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18841032
How many PC's might this user use? If only a couple, shut them down over the weekend so the scheduled events, if any, don't run. If that cures the problem, then hunt for the culprit. <G>
0
 
LVL 1

Author Comment

by:mikesims10670
ID: 18841065
Rob,

Excellent suggestion ... he also has a computer at home that is always on a nailed up firewall to firewall tunnel ... it might be the culprit too ... but I can take down the tunnel next Sunday.

Mike
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18842384
Let us know how it goes. Good luck with it.
--Rob
0
 
LVL 74

Assisted Solution

by:Jeffrey Kane - TechSoEasy
Jeffrey Kane - TechSoEasy earned 166 total points
ID: 18856345
"And do you have any idea why the event would get triggered while the account remained unlocked?"

This is from http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

"An account that is locked out may still be able to gain access to some resources if the user has a valid Kerberos ticket to the resource. The ability to access the resource ends when the Kerberos ticket expires. However, neither a user who is locked out nor a computer account can renew the ticket. Kerberos cannot grant a new ticket to the resource because the account is locked out."

I'm wondering if there is a mapped drive or a program that accesses a UNC share that is configured on his workstation with an old password.  Or... is there a LOCAL account on his workstation with the same username?

Jeff
TechSoEasy
0
 
LVL 77

Assisted Solution

by:Rob Williams
Rob Williams earned 166 total points
ID: 18857348
Lots of reasons mikesims10670 could be getting the lock out 'messages', but why only during a few hours on one day. That is the odd part. I would think most reasons would cause errors/messages at random time through the week, unless that is the only time a particular PC is used.
0
 
LVL 1

Author Comment

by:mikesims10670
ID: 18859562
Actually, they did get a few of these messages the night before last ... But they tend to flood the event logs on Sundays. I'm stuck on other projects at the moment, so I wont be able to implement any of these suggestions for at least another 5 to 7 days.

Mike
0
 
LVL 70

Expert Comment

by:Chris Dent
ID: 19707835

No comment has been added to this question in more than 21 days, so it is now classified as abandoned.

I will leave the following recommendation for this question in the Cleanup Zone:
SPLIT: RobWill {18857348} & kprad {18834526} & TechSoEasy {18856345}

Any objections should be posted here in the next 4 days. After that time, the question will be closed.

Chris-Dent
Experts Exchange Cleanup Volunteer
0

Featured Post

Gigs: Get Your Project Delivered by an Expert

Select from freelancers specializing in everything from database administration to programming, who have proven themselves as experts in their field. Hire the best, collaborate easily, pay securely and get projects done right.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Map drive based on local server 5 35
Active Directory not migrating to 2012 DC correctly 35 63
ticket bloat 3 24
powershell question need assistance 10 27
If you are a user of the discontinued Microsoft Office Accounting 2008 (MSOA) and have to move to a new computer running Windows 8, you will be unhappy to discover that it won't install.  In particular, Microsoft SQL Server 2005 Express Edition (SSE…
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

786 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question