account lockout issue windows server 2003

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Time:            9:06:36 AM
User:            NT AUTHORITY\SYSTEM
Computer:      rass006
Logon Failure:
       Reason:            Account locked out
       User Name:      rauser
       Domain:      rass
       Logon Type:      3   (netwrok logon)
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      rass006   (Application hosting machine)
       Caller User Name:      s-ra_ser       (Service account)
       Caller Domain:      rass       (Domain Name)
       Caller Logon ID:      (0x0,0x126E6)
       Caller Process ID: 1592  (PID relates to the process of the application)
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

I have an issue where in user accounts are getting locked out randomly in the security logs of the server I get several  529 authentication errors and randomly the account gets locked out with above error.

Looked at the above log I have been able to identify the service which is causing these lockouts but have not been able to stop them . I get 529 error even when the user for which the error pops up never tries to open the specific application.

This application upon opening does not prompt for authentication it takes the currently logged on credentials on the machine to authenticate the user. There is no where we can save the password & user name .
Please guide for further trouble shooting to find  from which machine these requests are coming in if I am able to find out the source of these authentication requests I will be able to nail down the issue . I cannot use Alocout.dll on the server if there is a way to do it with netmon or wireshak ill be happy to do that .

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hi Gaurav,

One of mu friend had faced same issue and it was due to virus in the network which was automatically attempt to login through genuine user name and incorrect password.

You can investigate it by keeping eyes on network activity on the server.

For the primary action, kindly scan your all the available workstations with different anti-virus and don't plug it in network until all the workstations are not fully scanned.

I hope it will help you.
Glen KnightCommented:
The requests are comming from this machine name: rass006
It also tells you the process ID of the application that is making the call: 1592
I also faced same problem. for this i found article in the below link.
It will work
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

gauravjeevAuthor Commented:
@demazter the machine name “rass006” is the server name  on which the application is hosted and i have already identified the application related to the PID which is causing the issue . but since the logon type is 3 it’s a network logon attempt  and I want help in identifying the machine through with the requests are coming .
Run: control userpasswords2 - to manage user accounts
On the advanced tab / managed passwords.
either check the credentials or delete them. I've deleted them and then had them recreated.
Solved my problem here but I only have 5 computers in the domein.
Now a few days later the problem has returned but not as frequent as before. Something else is still causing user accounts to lock out.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gauravjeevAuthor Commented:
Issue not resolved. No resolution or suggestion received.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.