Solved

Account lockout, Event ID: 680, 539

Posted on 2013-06-04
3
1,458 Views
Last Modified: 2013-06-27
Hi all,

Have a client running windows 7 Pro and a Server 2003, they are running as a workgroup not a domain environment.

Yesterday they called because one of the users could not connect to the share, after reviewing I noticed they user account was locked. After unlocking the account I noticed it got locked immediately.

I have check for viruses and Spyware using AVG, Malware byte and TrendMicro, but was not able to find anything.

In the event log  I have a large number of the following events. ;

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Mary
 Source Workstation:      PC01-PC
 Error Code:      0xC0000234

---------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      Mary
       Domain:      PC01-PC
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      PC01-PC
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.1.193
       Source Port:      0
0
Comment
Question by:rudym88
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 5

Assisted Solution

by:Pankaj_401
Pankaj_401 earned 250 total points
ID: 39221274
Here is some useful information about Event ID 680:

"When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request. "

A common cause of "mystery" lockouts is saved passwords that have changed - you can often solve this by going to CP and typing "Credential Manager" in CP Search.  Look at the saved credentials and delete any that may have changed, or any unused ones (I usually just save time by deleting them all).

Have you checked this answer on EE may this help you

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24426664.html
0
 
LVL 13

Accepted Solution

by:
Jaihunt earned 250 total points
ID: 39221696
Hi

Check the source machine for  PC01-PC any saved password or schedule tasks with OLD password.

http://www.windowstricks.in/2009/07/account-lockout.html

use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

Thanks
 Jai
0
 

Author Comment

by:rudym88
ID: 39222147
That's what is strange about the this. I don't have any saved passwords.

Remember this is not a domain environment.

I have cleared all the passwords, checked all the services but nothing.

I deleted all the save password by going to Control Panel, Manage your credentials, then clearing everything out.

I created a new account and it works find which tells me is not a service.
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

OfficeMate Freezes on login or does not load after login credentials are input.
The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
This Micro Tutorial will give you a basic overview of Windows Live Photo Gallery and show you various editing filters and touches to photos you can apply. This will be demonstrated using Windows Live Photo Gallery on Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question