Solved

Account lockout, Event ID: 680, 539

Posted on 2013-06-04
3
1,433 Views
Last Modified: 2013-06-27
Hi all,

Have a client running windows 7 Pro and a Server 2003, they are running as a workgroup not a domain environment.

Yesterday they called because one of the users could not connect to the share, after reviewing I noticed they user account was locked. After unlocking the account I noticed it got locked immediately.

I have check for viruses and Spyware using AVG, Malware byte and TrendMicro, but was not able to find anything.

In the event log  I have a large number of the following events. ;

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Mary
 Source Workstation:      PC01-PC
 Error Code:      0xC0000234

---------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      Mary
       Domain:      PC01-PC
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      PC01-PC
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.1.193
       Source Port:      0
0
Comment
Question by:rudym88
3 Comments
 
LVL 5

Assisted Solution

by:Pankaj_401
Pankaj_401 earned 250 total points
ID: 39221274
Here is some useful information about Event ID 680:

"When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request. "

A common cause of "mystery" lockouts is saved passwords that have changed - you can often solve this by going to CP and typing "Credential Manager" in CP Search.  Look at the saved credentials and delete any that may have changed, or any unused ones (I usually just save time by deleting them all).

Have you checked this answer on EE may this help you

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24426664.html
0
 
LVL 13

Accepted Solution

by:
Jaihunt earned 250 total points
ID: 39221696
Hi

Check the source machine for  PC01-PC any saved password or schedule tasks with OLD password.

http://www.windowstricks.in/2009/07/account-lockout.html

use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

Thanks
 Jai
0
 

Author Comment

by:rudym88
ID: 39222147
That's what is strange about the this. I don't have any saved passwords.

Remember this is not a domain environment.

I have cleared all the passwords, checked all the services but nothing.

I deleted all the save password by going to Control Panel, Manage your credentials, then clearing everything out.

I created a new account and it works find which tells me is not a service.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
On some Windows 7 (SP1) computers, Windows Update becomes super slow even the computer is reasonably fast.  There's one solution that seemed to have worked well for me (after trying a few other suggested solutions).
This Micro Tutorial will teach you how to the overview of Microsoft Security Essentials. This is a free anti-virus software that guards your PC against viruses, spyware, worms, and other malicious software. This will be demonstrated using Windows…
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.

914 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now