Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

Security Log

0 views

Skip to first unread message

PVH

unread,

Oct 18, 2006, 11:08:02 AM10/18/06

I am running SBS2003 SP1. I keep getting account lockout messages from the
server. Here is the message.

**********
Alert on SERVERNAME at 10/18/2006 10:38:07 AM

An account was locked out due to multiple failed logon attempts that
occurred in a short period of time. This may occur if an unauthorized user
attempts to gain access to the network.

**********

I look in the security event log and see that the majority of the events are
"success Audits" where the user name is SERVERNAME$ and the domain is my
domain. The logon type is 3 and the ID is 0x0,0x8C1A699.

This is happening about 5 times every second.

I also have a few failure audits from someone else trying to logon as the
guest account (which is disabled).

THis just started a few days ago.

ANy ideas?

Thanks pvh

Crina Li

unread,

Oct 19, 2006, 12:14:59 AM10/19/06

Dear Customer,

Thank you for posting in SBS newsgroup.

According to your description, I understand that you keep receiving
"Account Lockout, Event 539" alerts on server. If I have misunderstood the
problem, please don't hesitate to let me know.

Based on my experience, the issue might be a bit complex than it appears.
To troubleshoot the issue, we usually need to spend quite some time to
perform steps to find the problem cause due to complexity on technical
side. I appreciate your understanding and cooperation during the
troubleshooting process.

I. If the problematic client computer is running Windows XP. We need to
remove the previous password cache, which may be used by some applications
and therefore cause the account lockout problem.

To do so:

1) Click Start, click Run, type "control userpasswords2" (without the
quotation marks), and then click OK.
2) Click the Advanced tab.
3) Click the "Manage Password" button.
4) Check to see if these domain account's passwords are cached. If so,
remove them.
5) Check if the problem has been resolved now.

For more information, you may refer to the following article:

Q281660:Behavior of Stored User Names and Passwords
http://support.microsoft.com/?id=281660

II. On that user's computer, please also check the mapped drive,
scheduled tasks to see if something is still using the previous password of
the user.

III. Check whether there are services running with the credentials of the
problematic user account:

Please download the Account Lockout and Management Tools:

Account Lockout and Management Tools
http://www.microsoft.com/downloads/details.aspx?familyid=7af2e69c-91f3-4e63-
8629-b999adde0b9e&displaylang=en

Note: Aloinfo.exe included in the above package helps display all local
services and the account used to start them.

Please logon the problematic client computer as the Local Administrator and
run the following command:

Aloinfo.exe /stored >C:\CachedAcc.txt

Then check the C:\CachedAcc.txt file. If there is any application or
service is running as the problematic user account, please disable it and
then check whether the problem occurs.

IV. I am not sure how the account lockout policy is set there. Generally,
it is a best practices suggestion to set the Threshold value to 10 or
higher. This is high enough to rule out user error and low enough to deter
hackers, especially when the password complexity policy is enabled.

Generally, for medium security requirement, the recommended configurations
are:

Reset account lockout counter after: 30
Account lockout duration: 30
Account Lockout Threshold: 10

For high security requirement, the recommendations are:

Reset account lockout counter after: 30
Account lockout duration: 0
Account Lockout Threshold: 10

For more information, please refer to:

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/
security/bpactlck.mspx

V. If the issue still persists, please help me collect the following
information for further analysis:

1. What account the issue occurs?
2. Have you changed the password recently?
3. What changed you have done recently?

I appreciate your time and look forward to hearing from you.

Best regards,

Crina Li (MSFT)

Microsoft CSS Online Newsgroup Support

Get Secure! - www.microsoft.com/security

=====================================================
This newsgroup only focuses on SBS technical issues. If you have issues
regarding other Microsoft products, you'd better post in the corresponding
newsgroups so that they can be resolved in an efficient and timely manner.
You can locate the newsgroup here:
http://www.microsoft.com/communities/newsgroups/en-us/default.aspx

When opening a new thread via the web interface, we recommend you check the
"Notify me of replies" box to receive e-mail notifications when there are
any updates in your thread. When responding to posts via your newsreader,
please "Reply to Group" so that others may learn and benefit from your
issue.

Microsoft engineers can only focus on one issue per thread. Although we
provide other information for your reference, we recommend you post
different incidents in different threads to keep the thread clean. In doing
so, it will ensure your issues are resolved in a timely manner.

For urgent issues, you may want to contact Microsoft CSS directly. Please
check http://support.microsoft.com for regional support phone numbers.

Any input or comments in this thread are highly appreciated.

=====================================================

0 new messages