Account Lockout on Main Server

Hi Guys,
Please see event id 539 on our Domain conrtoller. Mnay users are getting that their accouts are locked. Here is a bit of background. We installed a Wireless network and used IAS on the PDC.

Please help
Logon Failure:
       Reason:            Account locked out
       User Name:      jliu
       Domain:      MAR-TOR-DOM
       Logon Type:      3
       Logon Process:      CHAP
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      
       Caller User Name:      TORSRV00$
       Caller Domain:      MAR-TOR-DOM
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 824
       Transited Services: -
       Source Network Address:      -
       Source Port:      -



Event id 539

Open in new window

ChemtradeAsked:
Who is Participating?
 
bcoyxpConnect With a Mentor Commented:
can you check on the client's PC if some suspicious activity can be observed. e.g. BITS is disabled.
apart from that, try to run AVERT's stinger.

http://vil.mcafeesecurity.com/vil/stinger/
0
 
ChemtradeAuthor Commented:
We are getting this error as well
Logon Failure:
       Reason:            Account locked out
       User Name:      JDarnbrough
       Domain:      MAR-TOR-DOM
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      CLTOR9VWK291-1
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      10.1.5.157
       Source Port:      0

0
 
bcoyxpCommented:
hi guys!! you might have been infected with the "conficker worm" which has been in the wild recently..

try to run to the file attached which could help you isolate the problem.
update your servers/machines with the latest patches and antivirus updates.

regards,
Problem-Description-Conficker.pdf
0
Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

 
SectorX4Commented:
Are the accounts being locked out all wireless users authenticating using 802.1X? If so then try stopping IAS and manually enabling the accounts and see if the errors stop, if they do then try having them logon using a wired PC and see if it locks their account or not.

I would look specifically into your authentication and encryption settings in your remote access policies, it possible the event is being generated because of a mis-match there.

Lastly if you have ISA server installed try moving your other policies above it, I had a problem with the ISA policy (which only specifies logon times) causing problems.
0
 
ChemtradeAuthor Commented:
HI SectorX4,
Not only Wireless users but few requalr wired users also getting locked out. But the confusing part is that the log says they are lockout so as the screen on their PC, but when I go to the AD and find the user the accout is not locked out...this button cannot be clicked.
0
 
ChemtradeAuthor Commented:
Sorry ...plus we do not have ISA
0
 
SectorX4Commented:
So Active Directory shows them as enabled but you can also not select "Disable" ?

bcoyxp might have a point as that worm will attempt to bruteforce administrator accounts and if you have policies in place for account lockout it could be pushing those limits. If the disable option is greyed out then it could be because the disabling of the account was done by the system not administratively like through AD.
0
 
ChemtradeAuthor Commented:
The acount lock out is greyed out.....but based on bcoyxp...i will not be able to go to Windows Update..but I can..I just updated the server
0
 
SectorX4Commented:
The server doesn't necessarily need to be on the server, only on the client PC's which are trying to login to the server.

If your users have their own PC's try scanning the PC's that the users with disabled accounts use.

Is there anything else in the event log out of the ordinary (Make sure to check informational events as well) apart from what you have posted already?
0
 
ChemtradeAuthor Commented:
The problem was resolved...by installing Windows Updates and changing the session timeout from the WLAN.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.