|
Posted by =?Utf-8?B?U01CYWtlcg==?= on October 21, 2005, 3:48 pm
If you were Registered and logged in, you could reply and use other advanced thread options
We seem to be getting these events after we disabled a certain user's
account. If we re-enable (after changing password) we don't get these events.
After doing this we don't see any lockout of that account.
Oct 21 14:47:29 security[failure] 531 NT AUTHORITY\SYSTEM Logon Failure:
Reason:Account currently disabled User Name: Domain: Logon Type:3 Logon
Process:Authz Authentication Package:Kerberos Workstation
Name:ComputerName Caller User Name:ComputerName$ Caller Domain:MPA Caller
Logon ID:(0x0,0x3E7) Caller Process ID:1192 Transited Services:- Source
Network Address:- Source Port:-
In each event there is no User Name and the ComputerName, there are about
four of them. The process ID is always equal to Svchost.exe.
What I have checked is:
Scheduled Tasks (none with user account)
Logged on seasons local/TS/RDP (none)
Network Attachments (mapped drives)
I did find one interesting bit of information about Exchange 2003:
http://support.microsoft.com/kb/278966
This has to do with the msExchMasterAccountSID and the Associated External
Account permission. Following the steps outlined here has reduced the amount
of attemps/events that we are getting. But, I am looking to put an end to
these events.
Simular events for exchange issues are these:
Oct 20 10:16:56 msexchangeis[warning] 9548 Disabled user /O=CompanyName
OU=OUName /cn=Recipients/cn=UserName does not have a master account SID.
Please use Active Directory MMC to set an active account as this user's
master account. For more information, click
http://www.microsoft.com/contentredirect.asp.
Oct 20 10:16:56 msexchangeis mailbox store[error] 1022 Logon Failure on
database "First Storage Group\Mailbox Store (SERVERNAME)" - Windows 2000
account Domain\User; mailbox /O=CompanyName/OU=OU/cn=Recipients/cn=UserName.
Error: -2147221231 For more information, click
http://www.microsoft.com/contentredirect.asp.
The second event shows Domain\User, which is the user that we assigned the
email address of the disabled account.
Any help or suggestions welcome, these alerts are keeping me up throughout
the night.
Thanks,
Scott
|
|
Posted by Donna Buenaventura [MVP] on October 23, 2005, 11:07 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Scott,
Try the possible solution in
http://support.microsoft.com/default.aspx?scid=kb;en-us;328880
Regards,
Donna Buenaventura
We seem to be getting these events after we disabled a certain user's
account. If we re-enable (after changing password) we don't get these
events.
After doing this we don't see any lockout of that account.
Oct 21 14:47:29 security[failure] 531 NT AUTHORITY\SYSTEM Logon Failure:
Reason:Account currently disabled User Name: Domain: Logon Type:3 Logon
Process:Authz Authentication Package:Kerberos Workstation
Name:ComputerName Caller User Name:ComputerName$ Caller Domain:MPA Caller
Logon ID:(0x0,0x3E7) Caller Process ID:1192 Transited Services:- Source
Network Address:- Source Port:-
In each event there is no User Name and the ComputerName, there are about
four of them. The process ID is always equal to Svchost.exe.
What I have checked is:
Scheduled Tasks (none with user account)
Logged on seasons local/TS/RDP (none)
Network Attachments (mapped drives)
I did find one interesting bit of information about Exchange 2003:
http://support.microsoft.com/kb/278966
This has to do with the msExchMasterAccountSID and the Associated External
Account permission. Following the steps outlined here has reduced the amount
of attemps/events that we are getting. But, I am looking to put an end to
these events.
Simular events for exchange issues are these:
Oct 20 10:16:56 msexchangeis[warning] 9548 Disabled user /O=CompanyName
OU=OUName /cn=Recipients/cn=UserName does not have a master account SID.
Please use Active Directory MMC to set an active account as this user's
master account. For more information, click
http://www.microsoft.com/contentredirect.asp.
Oct 20 10:16:56 msexchangeis mailbox store[error] 1022 Logon Failure on
database "First Storage Group\Mailbox Store (SERVERNAME)" - Windows 2000
account Domain\User; mailbox /O=CompanyName/OU=OU/cn=Recipients/cn=UserName.
Error: -2147221231 For more information, click
http://www.microsoft.com/contentredirect.asp.
The second event shows Domain\User, which is the user that we assigned the
email address of the disabled account.
Any help or suggestions welcome, these alerts are keeping me up throughout
the night.
Thanks,
Scott
|
| Similar Threads | Posted | | How do I find out who disabled an account in AD? | July 21, 2005, 10:33 am |
| How to enable Auditing to trace who disabled user's account. | January 20, 2006, 12:05 pm |
| Re-enaled disabled account Exchange 1022 error 2147221231 | September 29, 2006, 10:39 am |
| user account types | July 5, 2005, 2:03 pm |
| disabling FW with user account | December 1, 2005, 2:11 am |
| User account always locking out | September 6, 2006, 12:43 pm |
| Disable CD ROM for Certain User Account | October 30, 2006, 7:07 am |
| user account exceptions | March 10, 2007, 1:43 pm |
| Forgot my password for User Account | February 9, 2006, 12:03 pm |
| User account access denied! | April 22, 2006, 4:17 am |
|
XML site map