Solved

Account lockout, Event ID: 680, 539

Posted on 2013-06-04
3
1,406 Views
Last Modified: 2013-06-27
Hi all,

Have a client running windows 7 Pro and a Server 2003, they are running as a workgroup not a domain environment.

Yesterday they called because one of the users could not connect to the share, after reviewing I noticed they user account was locked. After unlocking the account I noticed it got locked immediately.

I have check for viruses and Spyware using AVG, Malware byte and TrendMicro, but was not able to find anything.

In the event log  I have a large number of the following events. ;

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      Mary
 Source Workstation:      PC01-PC
 Error Code:      0xC0000234

---------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            6/5/2013
Time:            2:33:01 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SRV-DC
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      Mary
       Domain:      PC01-PC
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      PC01-PC
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.1.193
       Source Port:      0
0
Comment
Question by:rudym88
3 Comments
 
LVL 5

Assisted Solution

by:Pankaj_401
Pankaj_401 earned 250 total points
Comment Utility
Here is some useful information about Event ID 680:

"When DC successfully authenticates a user via NTLM (instead of Kerberos), the DC logs this event. This specifies which user account who logged on (Account Name) as well as the client computer's name from which the user initiated the logon in the Workstation field.
This event is only logged on member servers and workstations for logon attempts with local SAM accounts.
Account Used for Logon By identifies the authentication package that processed the authentication request. "

A common cause of "mystery" lockouts is saved passwords that have changed - you can often solve this by going to CP and typing "Credential Manager" in CP Search.  Look at the saved credentials and delete any that may have changed, or any unused ones (I usually just save time by deleting them all).

Have you checked this answer on EE may this help you

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/SBS_Small_Business_Server/Q_24426664.html
0
 
LVL 13

Accepted Solution

by:
Jaihunt earned 250 total points
Comment Utility
Hi

Check the source machine for  PC01-PC any saved password or schedule tasks with OLD password.

http://www.windowstricks.in/2009/07/account-lockout.html

use EventcombMT tool to extract the log for the account lockout.

In server name -> add single server (PDCe server)
Event ID -> 680 for 2003 OS & 4740 for 2008 OS
text -> mentioned user id of the account locked.

Thanks
 Jai
0
 

Author Comment

by:rudym88
Comment Utility
That's what is strange about the this. I don't have any saved passwords.

Remember this is not a domain environment.

I have cleared all the passwords, checked all the services but nothing.

I deleted all the save password by going to Control Panel, Manage your credentials, then clearing everything out.

I created a new account and it works find which tells me is not a service.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

I recently purchased an HP EliteBook 2540p notebook/laptop. It has two video ports on it – VGA and DisplayPort. HP offers an optional docking station for the 2540p that also has both a VGA port and a DisplayPort. There are numerous online reports do…
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup". After a while, you have entered a loop for Auto repair which does not fix anything and you will be in a  panic as all your work w…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
The viewer will learn how to successfully download and install the SARDU utility on Windows 7, without downloading adware.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now