"Account locked out" security event at midnight

security windows-event-log windows-server-2003

The last three midnights I've gotten an Event ID 539 in the log...about my own account:

Event Type: Failure Audit
Event Source:   Security
Event Category: Logon/Logoff 
Event ID:   539
Date:       2010-04-26
Time:       12:00:20 AM
User:       NT AUTHORITY\SYSTEM
Computer:   SERVERNAME
Description:
Logon Failure:
    Reason:     Account locked out
    User Name:  MyUser
    Domain: MYDOMAIN
    Logon Type: 3
    Logon Process:  NtLmSsp 
    Authentication Package: NTLM
    Workstation Name:   SERVERNAME
    Caller User Name:   -
    Caller Domain:  -
    Caller Logon ID:    -
    Caller Process ID: -
    Transited Services: -
    Source Network Address: -
    Source Port:    -

It's always within a half minute of midnight. There are no login attempts before it. Right after it (in the same second) there's a success audit entry:

Logon attempt using explicit credentials:
 Logged on user:
    User Name:  SERVERNAME$
    Domain:     MYDOMAIN
    Logon ID:       (0x0,0x3E7)
    Logon GUID: -
 User whose credentials were used:
    Target User Name:   MyUser
    Target Domain:  MYDOMAIN
    Target Logon GUID: -

 Target Server Name:    servername.mydomain.lan
 Target Server Info:    servername.mydomain.lan
 Caller Process ID: 2724
 Source Network Address:    -
 Source Port:   -

The process ID was the same on all three of them, so I looked it up, and right now at least it maps to TCP/IP Services (Microsoft).

I don't believe I changed any policies or anything on Friday. How should I interpret this?


Do you have a schedule task that runs under your account that connects to a share at midnight? Event ID 552 (the second event) is usually generated when a user (in this case the system) uses runas to run a process as another account.

However- upon a closer look, the Logon ID: (0x0,0x3E7)- shows that a service is the one doing the impersonation. Take a closer look at the services on the machine. You can also get this if another machine is mapping a drive with your credentials and the saved credentials have expired. Since the service was tcpip that's where I'm betting my nickel on now.


Account lockouts can be a pain to troubleshoot. My first reccomendation would be to get the Account Lockout Tools from Microsoft.

Using these tools you can figure out which of your DC's are actually locking out the account. From there you'll need to do some snooping in the security log to figure out which server is causing the lockout to happen, then you can figure out what on that server is locking your account.


It's likely an automated event, like a service running under your credentials. Hop on the server and sort services.msc by the Logon As field and see if you're in there.

Related

Memory Usage on Linux box does not match up with `free`
Do large folder sizes slow down IO performance?
How do I upgrade the kernel in Ubuntu Server 10.04?
Can a RAID array be rebuilt through DRAC? [closed]
My dns works when I do a “dig @mynameserver hostname” but not when I do a “dig hostname”
MAC address spoofing - why doesn't this work? [closed]
"bitness" and printer servers
Ubuntu / See restart history
Where is RewriteMap allowed?
Using Windows, can I tell a single program to use a specific gateway IP?
Can an active directory group indirectly include itself in a cycle?
How can I replace line #6 in a text file in a bash script?