"Account locked out" security event at midnight
Posted
by Kev
on Server Fault
See other posts from Server Fault
or by Kev
Published on 2010-04-26T13:03:07Z
Indexed on
2010/04/26
13:13 UTC
Read the original article
Hit count: 420
The last three midnights I've gotten an Event ID 539 in the log...about my own account:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 2010-04-26
Time: 12:00:20 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME
Description:
Logon Failure:
Reason: Account locked out
User Name: MyUser
Domain: MYDOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVERNAME
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
It's always within a half minute of midnight. There are no login attempts before it. Right after it (in the same second) there's a success audit entry:
Logon attempt using explicit credentials:
Logged on user:
User Name: SERVERNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: MyUser
Target Domain: MYDOMAIN
Target Logon GUID: -
Target Server Name: servername.mydomain.lan
Target Server Info: servername.mydomain.lan
Caller Process ID: 2724
Source Network Address: -
Source Port: -
The process ID was the same on all three of them, so I looked it up, and right now at least it maps to TCP/IP Services (Microsoft).
I don't believe I changed any policies or anything on Friday. How should I interpret this?
© Server Fault or respective owner