[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Account Lockout on Main Server

Posted on 2009-02-19
10
Medium Priority
?
1,388 Views
Last Modified: 2012-05-06
Hi Guys,
Please see event id 539 on our Domain conrtoller. Mnay users are getting that their accouts are locked. Here is a bit of background. We installed a Wireless network and used IAS on the PDC.

Please help
Logon Failure:
       Reason:            Account locked out
       User Name:      jliu
       Domain:      MAR-TOR-DOM
       Logon Type:      3
       Logon Process:      CHAP
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      
       Caller User Name:      TORSRV00$
       Caller Domain:      MAR-TOR-DOM
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 824
       Transited Services: -
       Source Network Address:      -
       Source Port:      -



Event id 539

Open in new window

0
Comment
Question by:Chemtrade
  • 5
  • 3
  • 2
10 Comments
 

Author Comment

by:Chemtrade
ID: 23687415
We are getting this error as well
Logon Failure:
       Reason:            Account locked out
       User Name:      JDarnbrough
       Domain:      MAR-TOR-DOM
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      CLTOR9VWK291-1
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      10.1.5.157
       Source Port:      0

0
 
LVL 6

Expert Comment

by:bcoyxp
ID: 23687481
hi guys!! you might have been infected with the "conficker worm" which has been in the wild recently..

try to run to the file attached which could help you isolate the problem.
update your servers/machines with the latest patches and antivirus updates.

regards,
Problem-Description-Conficker.pdf
0
 
LVL 2

Expert Comment

by:SectorX4
ID: 23687524
Are the accounts being locked out all wireless users authenticating using 802.1X? If so then try stopping IAS and manually enabling the accounts and see if the errors stop, if they do then try having them logon using a wired PC and see if it locks their account or not.

I would look specifically into your authentication and encryption settings in your remote access policies, it possible the event is being generated because of a mis-match there.

Lastly if you have ISA server installed try moving your other policies above it, I had a problem with the ISA policy (which only specifies logon times) causing problems.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 

Author Comment

by:Chemtrade
ID: 23687541
HI SectorX4,
Not only Wireless users but few requalr wired users also getting locked out. But the confusing part is that the log says they are lockout so as the screen on their PC, but when I go to the AD and find the user the accout is not locked out...this button cannot be clicked.
0
 

Author Comment

by:Chemtrade
ID: 23687551
Sorry ...plus we do not have ISA
0
 
LVL 2

Expert Comment

by:SectorX4
ID: 23687573
So Active Directory shows them as enabled but you can also not select "Disable" ?

bcoyxp might have a point as that worm will attempt to bruteforce administrator accounts and if you have policies in place for account lockout it could be pushing those limits. If the disable option is greyed out then it could be because the disabling of the account was done by the system not administratively like through AD.
0
 

Author Comment

by:Chemtrade
ID: 23687838
The acount lock out is greyed out.....but based on bcoyxp...i will not be able to go to Windows Update..but I can..I just updated the server
0
 
LVL 2

Expert Comment

by:SectorX4
ID: 23687881
The server doesn't necessarily need to be on the server, only on the client PC's which are trying to login to the server.

If your users have their own PC's try scanning the PC's that the users with disabled accounts use.

Is there anything else in the event log out of the ordinary (Make sure to check informational events as well) apart from what you have posted already?
0
 
LVL 6

Accepted Solution

by:
bcoyxp earned 2000 total points
ID: 23687942
can you check on the client's PC if some suspicious activity can be observed. e.g. BITS is disabled.
apart from that, try to run AVERT's stinger.

http://vil.mcafeesecurity.com/vil/stinger/
0
 

Author Closing Comment

by:Chemtrade
ID: 31549420
The problem was resolved...by installing Windows Updates and changing the session timeout from the WLAN.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a little timesaver I have been using for setting up Microsoft Small Business Server (SBS) in the simplest possible way. It may not be appropriate for every customer. However, when you get a situation where the person who owns the server is i…
Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question