none
Account lockout with Event ID 529 and 539

    Question

  • My AD account is getting locked out due to failure attempt of login to the server. Kindly advice how could i trace it, what is causing this lockout. The server is 2003 Server and  an IIS web server. 

    AD Logs shows  the server as source server from where it is getting lock. How do i trace from where it is getting locked ?

    Below is event logs:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff 
    Event ID: 529
    Date: 8/28/2013
    Time: 2:02:00 PM
    User: NT AUTHORITY\SYSTEM
    Computer: [Server Name]
    Description:
    Logon Failure:
      Reason: Unknown user name or bad password
      User Name: arijeet
      Domain: AD
      Logon Type: 3
      Logon Process: NtLmSsp 
      Authentication Package: NTLM
      Workstation Name: [Server Name]
      Caller User Name: -
      Caller Domain: -
      Caller Logon ID: -
      Caller Process ID: -
      Transited Services: -
      Source Network Address: [xx.xx.xx.xx]
      Source Port: 1986


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff 
    Event ID: 539
    Date: 8/28/2013
    Time: 3:31:01 PM
    User: NT AUTHORITY\SYSTEM
    Computer: [Server Name]
    Description:
    Logon Failure:
      Reason: Account locked out
      User Name: arijeet
      Domain: AD
      Logon Type: 3
      Logon Process: NtLmSsp 
      Authentication Package: NTLM
      Workstation Name: [Server Name]
      Caller User Name: -
      Caller Domain: -
      Caller Logon ID: -
      Caller Process ID: -
      Transited Services: -
      Source Network Address: [xx.xx.xx.xx]
      Source Port: 4163


    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
    Wednesday, August 28, 2013 7:51 AM

Answers

All replies