1. You are viewing our forum as a guest. For full access please Register. WindowsBBS.com is completely free, paid for by advertisers and donations.

Causes for "Event ID: 539" -- Account Lockout

Discussion in 'Windows Server System' started by CUISTech, 2009/10/13.

  1. 2009/10/13
    CUISTech

    CUISTech Inactive Thread Starter

    Joined:
    2008/10/28
    Messages:
    419
    Likes Received:
    1
    I went over the security log in event viewer on the DC. The attempted login times make it physically impossible for ANY user to have been logging in at that time.

    I've googled, and come up with answers that vary from outlook profiles, to stored passwords, to adobe to some MS articles about account lockout tools, but I haven't really gotten any clear answers.

    Can someone tell me how to identify and resolve this in a "101" level course-speak?
     
    CUISTech,
    #1
  2. 2009/10/14
    CUISTech

    CUISTech Inactive Thread Starter

    Joined:
    2008/10/28
    Messages:
    419
    Likes Received:
    1
    Here's the security log for this morning, when the user was locked out again. Will this help?

    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3512


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3514


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3516


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3518


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:03 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Code:
    Date: [today]			 Source: Security
Time: 7:07:03 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 539
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Account locked out
 	User Name:	[user]
 	Domain:	NCU
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID: 476
 	Transited Services: -
 	Source Network Address:	10.1.x.x
 	Source Port:	3521


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
     
    CUISTech,
    #2


  3. to hide this advert.

  4. 2009/10/14
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    Arie,
    #3
  5. 2009/10/14
    CUISTech

    CUISTech Inactive Thread Starter

    Joined:
    2008/10/28
    Messages:
    419
    Likes Received:
    1
    Okay, read them. Let me go through the points to see if I get it...

    MS says disable the welcome screen and use the classic logon.
    All computers in the domain use a classic logon instead of the XP welcome page that displays local accounts. That occurs as soon as a computer is joined to the domain.

    Obtain latest service pack for Server 03
    We're already running Server '03 with SP2. With the exception of the latest releases from MS' patch day this week, we should have everything current for SPs and hotfixes.

    Apply the hotfix that is mentioned in this article to the Windows Server 2003-based member computer.
    Did I miss the link for the specific hotfix? I saw links for "how to download the latest service pack," but I keep reading for a link to a hotfix... and I can't see it.

    Disable auditing, disable the welcome screen
    Can't disable auditing, that's CIO's word on that one, and I can't change that.

    The welcome screen, as above, is disabled when each computer joins the domain. The classic logon is used.
     
    CUISTech,
    #4
  6. 2009/10/15
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    Sorry, my Server experience is quite limited. I'll move this to the Server forum, maybe you'll get some more info there.
     
    Arie,
    #5
  7. 2009/10/16
    CUISTech

    CUISTech Inactive Thread Starter

    Joined:
    2008/10/28
    Messages:
    419
    Likes Received:
    1
    Thanks for the move.

    Quick question, though, to double-check my reading comprehension... This is an authentication type error, with how Windows seems to be managing logins, right? The systems have not actually been compromised, if I understand what you've posted?
     
    CUISTech,
    #6
  8. 2009/10/16
    Arie

    Arie Administrator Administrator Staff

    Joined:
    2001/12/27
    Messages:
    15,174
    Likes Received:
    412
    No, the system doesn't sow anything that would suggest its being compromised.
     
    Arie,
    #7

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Accept Learn More...