Home / server / Questions / 135840
Accepted
Kev
Asked: 2010-04-27 05:03:07 +0800 CST

"Account locked out" security event at midnight

  • 772

The last three midnights I've gotten an Event ID 539 in the log...about my own account:

Event Type: Failure Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   539
Date:       2010-04-26
Time:       12:00:20 AM
User:       NT AUTHORITY\SYSTEM
Computer:   SERVERNAME
Description:
Logon Failure:
    Reason:     Account locked out
    User Name:  MyUser
    Domain: MYDOMAIN
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   SERVERNAME
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: -
    Source Port:    -

It's always within a half minute of midnight. There are no login attempts before it. Right after it (in the same second) there's a success audit entry:

Logon attempt using explicit credentials:
 Logged on user:
    User Name:  SERVERNAME$
    Domain:     MYDOMAIN
    Logon ID:       (0x0,0x3E7)
    Logon GUID: -
 User whose credentials were used:
    Target User Name:   MyUser
    Target Domain:  MYDOMAIN
    Target Logon GUID: -

 Target Server Name:    servername.mydomain.lan
 Target Server Info:    servername.mydomain.lan
 Caller Process ID: 2724
 Source Network Address:    -
 Source Port:   -

The process ID was the same on all three of them, so I looked it up, and right now at least it maps to TCP/IP Services (Microsoft).

I don't believe I changed any policies or anything on Friday. How should I interpret this?

windows-server-2003 security windows-event-log

4 Answers

  1. Account lockouts can be a pain to troubleshoot. My first reccomendation would be to get the Account Lockout Tools from Microsoft.

    Using these tools you can figure out which of your DC's are actually locking out the account. From there you'll need to do some snooping in the security log to figure out which server is causing the lockout to happen, then you can figure out what on that server is locking your account.

    • 7

  2. It's likely an automated event, like a service running under your credentials. Hop on the server and sort services.msc by the Logon As field and see if you're in there.

    • 1
  3. Best Answer

    Do you have a schedule task that runs under your account that connects to a share at midnight? Event ID 552 (the second event) is usually generated when a user (in this case the system) uses runas to run a process as another account.

    However- upon a closer look, the Logon ID: (0x0,0x3E7)- shows that a service is the one doing the impersonation. Take a closer look at the services on the machine. You can also get this if another machine is mapping a drive with your credentials and the saved credentials have expired. Since the service was tcpip that's where I'm betting my nickel on now.

    • 1

  4. You might have installed a program or service with your user ID. Most probably these are backup softwares or any similar service/task. You can not find all scheulded tasks from "Scheduled tasks", review your automated services, IIS, Backup Exec etc.

    • 0