Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

User keeps getting locked out - Event Type: Failure Audit Event ID: 529 and 537

Posted on 2009-05-20
4
Medium Priority
?
1,809 Views
Last Modified: 2012-05-07
I have rolled out a new Lenovo ThinkPad to a user and he is now having a lot of issues logging in with his AD account which is being locked.

The laptop is set up to cache the AD password so the user can log on when disconnected from the network.  The laptop is connected to a Lenovo Enhanced USB Port Replicator.  The user has typed his password into the visible "user name" window to check it is entering correctly and it is.

The following errors are showing in the event log.  It is Event ID 537 that concerns me as I do not know what is causing the issue.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      537
Date:            20/05/2009
Time:            09:11:29
User:            NT AUTHORITY\SYSTEM
Computer:      LG1403
Description:
Logon Failure:
       Reason:            An error occurred during logon
       User Name:      TRoberts
       Domain:            LUMINUS
       Logon Type:      11
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      LG1403
       Status code:      0xC000005E
       Substatus code:      0x0

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.




Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            20/05/2009
Time:            09:11:29
User:            NT AUTHORITY\SYSTEM
Computer:      LG1403
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      TRoberts
       Domain:            LUMINUS
       Logon Type:      2
       Logon Process:      User32  
       Authentication Package:      Negotiate
       Workstation Name:      LG1403

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


The Date and Time on the laptop are correct.

The user has not changed his password since receiving the laptop.

Does anyone have any suggestions for troubleshooting?
0
Comment
Question by:Julian Prentis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 3

Expert Comment

by:goss34
ID: 24429816
Hi julianprentis,

Try using account lockout status:

http://www.microsoft.com/downloads/details.aspx?FamilyID=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en

It should give you information of when the account locked and you can trace where it locked (what machine) from the event viewer of the DC.

Cheers
Dan
0
 

Author Comment

by:Julian Prentis
ID: 24430936
Dan,

I already have tools in place that report this information.  I think what concerns me is why it is happening.
0
 
LVL 27

Accepted Solution

by:
bluntTony earned 750 total points
ID: 24430983
Event 529 is pretty self-explanatory - Logon Type 2 is interactive which you know already.

The event 537 is occurring due to cached logon credentials (logon type 11). Have a look at this:

http://support.microsoft.com/kb/908355

Have you tried clearing the local cache? Control Panel | User Accounts | Advanced | Manage Passwords
0
 

Author Comment

by:Julian Prentis
ID: 24431702
I have checked Control Panel | User Accounts | Advanced | Manage Passwords and the user is not stored.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question