Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1568
  • Last Modified:

Account lockout, Event ID: 680, 539

Hi all,

Have a client running windows 7 Pro and a Server 2003, they are running as a workgroup not a domain environment.

Yesterday they called because one of the users could not connect to the share, after reviewing I noticed they user account was locked. After unlocking the account I noticed it got locked immediately.

I have check for viruses and Spyware using AVG, Malware byte and TrendMicro, but was not able to find anything.

In the event log  I have a large number of the following events. ;

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Mary
 Source Workstation:      PC01-PC
 Error Code:      0xC0000234

---------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      Mary
       Domain:      PC01-PC
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      PC01-PC
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.1.193
       Source Port:      0
0
rudym88
Asked:
rudym88
2 Solutions
 
Pankaj_401Commented:
Here is some useful information about Event ID 680:

"When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request. "

A common cause of "mystery" lockouts is saved passwords that have changed - you can often solve this by going to CP and typing "Credential Manager" in CP Search.  Look at the saved credentials and delete any that may have changed, or any unused ones (I usually just save time by deleting them all).

Have you checked this answer on EE may this help you

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24426664.html
0
 
JaihuntCommented:
Hi

Check the source machine for  PC01-PC any saved password or schedule tasks with OLD password.

http://www.windowstricks.in/2009/07/account-lockout.html

use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

Thanks
 Jai
0
 
rudym88Author Commented:
That's what is strange about the this. I don't have any saved passwords.

Remember this is not a domain environment.

I have cleared all the passwords, checked all the services but nothing.

I deleted all the save password by going to Control Panel, Manage your credentials, then clearing everything out.

I created a new account and it works find which tells me is not a service.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now