Location of Event ID 539?

If a user locks him or herself out of his domain account does the Event ID 539 appear on the Domain controller or the computer which was used to attempt to login.

I have a situation in which a user locked himself out but there were no Event ID 539 generated in the security log on the DC.  However they appeared on the computer on which the user attempted to login.

Therefore I was under the impression that the Event ID 539 and any associated ID would appear in the security log.

can someone please explain how the process of generating the Event id 539 should work and in which security log (DC or workstation?)

Thanks
Hector.
hgarciatxAsked:
Who is Participating?
 
Aj8787Connect With a Mentor Commented:
The Event ID: 644 - User Account Locked Out security event is generated at the primary domain controller (PDC) to indicate that the user account was automatically locked out because of bad logon attempts. The security event is generated if the audit policy for the domain enables the Success for the User and Group Management audit category.

However, this message may incorrectly appear in the security log, and it may not indicate that an account has been locked out because of bad logon attempts.

Also as i said goto "Default Domain Controller Policy" not Domain Policy

But as long as event id 644 works for you its also good enough.

The Snapshot is fo Domain Controller policy. To reach there goto GPMC and select Default Domain controller policy.

Give it a shot.
0
 
Aj8787Commented:
This event is logged on the workstation or server where the user failed to logon. To determine if the user was present at this computer or elsewhere on the network, see event 528 for a list of logon types

This event is only logged on domain controllers when a user fails to logon to the DC itself such at the console or through failure to connect to a shared folder. On workstations and servers this event could be generated by a an attempt to logon with a domain or local SAM account. If a local SAM account, there will be a corresponding failure event from the Account Logon category.
0
 
Aj8787Commented:
Logon Failure

Reason: Account locked out
User Name: %1
Domain: %2
Logon Type: %3
Logon Process: %4
Authentication Package: %5
Workstation Name: %6

Windows Server 2003 adds these fields:

Caller User Name:-
Caller Domain:-
Caller Logon ID:-
Caller Process ID:-
Transited Services:-
Source Network Address:10.42.42.180
Source Port:0

0
[Webinar] Improve your customer journey

A positive customer journey is important in attracting and retaining business. To improve this experience, you can use Google Maps APIs to increase checkout conversions, boost user engagement, and optimize order fulfillment. Learn how in this webinar presented by Dito.

 
hgarciatxAuthor Commented:
The issue that I have is that when a user tries login to the domain at the windows login prompt and locks himself out I used to see it in the security log on the domain controller.

Is it possible that they are other event IDs that show up on the DC?
0
 
Aj8787Commented:
Surely it is possible. You have to enable the audits in winows server:

The Audit Policy settings are located in the Default Domain policy settings. To view the Auditing policy settings, in the Group Policy MMC, double-click Computer Configuration, double-click Windows Settings, double-click Security Settings, double-click Local Policies, and then double-click Audit Policy. Enable auditing for the event types:

To effectively troubleshoot account lockout, enable auditing at the domain level for the following events:

Account Logon Events – Failure


Account Management – Success


Logon Events – Failure


However also if you right click the user who has been locked out goto properties and to accounts the "Account locked out" will be checked you can trace from there too.

Cheers
Aj
0
 
hgarciatxAuthor Commented:
Thanks for the reply.

I have checked my Default Domain Policies and everything is already set as you have suggested.

I even ran the Group Policy Results Wizard and confirm that the Default Domain Polcies will audit account logon events for failures.

I am at a lost because when I test the account lockout I still do not see Event ID 539 on my domain controller security log.

Thanks
Hector.
0
 
Aj8787Commented:
Sorry sorry

Look into Default Domain Controller policy

And check back with me (sorry i forgot to type controller)

0
 
Aj8787Commented:
By defualt they are set for success as shown in image.

Configure them for failure as i specified earlier.

Here is a snap shot.
event-log.JPG
0
 
hgarciatxAuthor Commented:
Thanks for the reply

Under my Default Domain Policy
I have already set "Audit Account Logon events" for Success and Failure
I have already set "Audit Account management" for Failure
I have already set "Audit directory service access" for Success and Failure
Audit logon event is also set for Success and Failure.

With these settings, it still doesnt work.

Thanks
Hector.
0
 
hgarciatxAuthor Commented:
AJ,

Just to let you know that Event ID 644 does show up for any user being locked out after unsuccessful login attempts.

It is only Event ID539.

Thanks
Hector.
0
 
hgarciatxAuthor Commented:
AJ,

I have reviewed the Default Domain controller policy and it too set up correctly per your suggestion.

At this time no Event 539.

thanks
hector.
0
 
hgarciatxAuthor Commented:
Dear Everyone,

The issue is resolved and all I had to do was reboot the primary domain controller.

thanks for everyone's help and suggestions.
0
 
hgarciatxAuthor Commented:
No additional comments
0
All Courses

From novice to tech pro — start learning today.