"Account locked out" security event at midnight
The last three midnights I've gotten an Event ID 539 in the log...about my own account:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 2010-04-26
Time: 12:00:20 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVERNAME
Description:
Logon Failure:
Reason: Account locked out
User Name: MyUser
Domain: MYDOMAIN
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVERNAME
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
It's always within a half minute of midnight. There are no login attempts before it. Right after it (in the same second) there's a success audit entry:
Logon attempt using explicit credentials:
Logged on user:
User Name: SERVERNAME$
Domain: MYDOMAIN
Logon ID: (0x0,0x3E7)
Logon GUID: -
User whose credentials were used:
Target User Name: MyUser
Target Domain: MYDOMAIN
Target Logon GUID: -
Target Server Name: servername.mydomain.lan
Target Server Info: servername.mydomain.lan
Caller Process ID: 2724
Source Network Address: -
Source Port: -
The process ID was the same on all three of them, so I looked it up, and right now at least it maps to TCP/IP Services (Microsoft).
I don't believe I changed any policies or anything on Friday. How should I interpret this?
Do you have a schedule task that runs under your account that connects to a share at midnight? Event ID 552 (the second event) is usually generated when a user (in this case the system) uses runas to run a process as another account.
However- upon a closer look, the Logon ID: (0x0,0x3E7)- shows that a service is the one doing the impersonation. Take a closer look at the services on the machine. You can also get this if another machine is mapping a drive with your credentials and the saved credentials have expired. Since the service was tcpip that's where I'm betting my nickel on now.
Account lockouts can be a pain to troubleshoot. My first reccomendation would be to get the Account Lockout Tools from Microsoft.
Using these tools you can figure out which of your DC's are actually locking out the account. From there you'll need to do some snooping in the security log to figure out which server is causing the lockout to happen, then you can figure out what on that server is locking your account.
It's likely an automated event, like a service running under your credentials. Hop on the server and sort services.msc
by the Logon As field and see if you're in there.