Account Lockout Event ID 539 and 644

[Aaron]

Hi,

I periodically receive these events on my domain controller and my
administrator account is locked out. The domain policy is set to lock the
account out after a specified number of failed login attempts. How do I
track where the attempts are coming from? Whether it's from a workstation
or from an outside source? I'm not running RAS but am running Terminal
Services in admin mode.

Also in event id 644 why is the caller machine and the caller username my
domain controller Mammoth and the user everyone?

Thanks,
Aaron

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 3/11/2003
Time: 9:44:32 AM
User: NT AUTHORITY\SYSTEM
Computer: MAMMOTH
Description:
Logon Failure:
Reason: Account locked out
User Name: administrator
Domain: work
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: MAMMOTH

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 3/11/2003
Time: 9:43:38 AM
User: Everyone
Computer: MAMMOTH
Description:
User Account Locked Out:
Target Account Name: administrator
Target Account ID: WORK\administrator
Caller Machine Name: MAMMOTH Caller User Name: MAMMOTH$
Caller Domain: WORK
Caller Logon ID: (0x0,0x3E7)

[Eric Fitzgerald [MSFT]]

If you've enabled logon/logoff events on the DC, you should also see 529
events on the DC. If you don't see these events, but you've enabled account
logon auditing on the DC, then you should see account logon audits (681,
etc.) on your DC.

These events both give a workstation name. Go to that workstation and
examine its logs; the logon failure events on those machines will give more
information.

Eric

--
Eric Fitzgerald
Program Manager, Windows Auditing and Intrusion Detection
Microsoft Corporation

This posting is provided "AS IS" with no warranties, and confers no rights.

"Aaron" <atda...@yahoo.com> wrote in message
news:b4lajn$22t2$1...@nntp6.u.washington.edu...