 |
 | Home | Contact Us | FAQ | Search & Site Map | Link to Us |
 | Sign In | Join | Other 45 Sites in Network |
Windows Server Forum / Security / General Topics / October 2005Disabled User Account
We seem to be getting these events after we disabled a certain user's account. If we re-enable (after changing password) we don't get these events. After doing this we don't see any lockout of that account. Oct 21 14:47:29 security[failure] 531 NT AUTHORITY\SYSTEM Logon Failure: Reason:Account currently disabled User Name: Domain: Logon Type:3 Logon Process:Authz Authentication Package:Kerberos Workstation Name:ComputerName Caller User Name:ComputerName$ Caller Domain:MPA Caller Logon ID:(0x0,0x3E7) Caller Process ID:1192 Transited Services:- Source Network Address:- Source Port:- In each event there is no User Name and the ComputerName, there are about four of them. The process ID is always equal to Svchost.exe. What I have checked is: Scheduled Tasks (none with user account) Logged on seasons local/TS/RDP (none) Network Attachments (mapped drives) I did find one interesting bit of information about Exchange 2003: http://support.microsoft.com/kb/278966 This has to do with the msExchMasterAccountSID and the Associated External Account permission. Following the steps outlined here has reduced the amount of attemps/events that we are getting. But, I am looking to put an end to these events. Simular events for exchange issues are these: Oct 20 10:16:56 msexchangeis[warning] 9548 Disabled user /O=CompanyName OU=OUName /cn=Recipients/cn=UserName does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account. For more information, click http://www.microsoft.com/contentredirect.asp. Oct 20 10:16:56 msexchangeis mailbox store[error] 1022 Logon Failure on database "First Storage Group\Mailbox Store (SERVERNAME)" - Windows 2000 account Domain\User; mailbox /O=CompanyName/OU=OU/cn=Recipients/cn=UserName. Error: -2147221231 For more information, click http://www.microsoft.com/contentredirect.asp. The second event shows Domain\User, which is the user that we assigned the email address of the disabled account. Any help or suggestions welcome, these alerts are keeping me up throughout the night. Thanks, Scott Hi Scott, Try the possible solution in http://support.microsoft.com/default.aspx?scid=kb;en-us;328880 Regards, Donna Buenaventura We seem to be getting these events after we disabled a certain user's account. If we re-enable (after changing password) we don't get these events. After doing this we don't see any lockout of that account. Oct 21 14:47:29 security[failure] 531 NT AUTHORITY\SYSTEM Logon Failure: Reason:Account currently disabled User Name: Domain: Logon Type:3 Logon Process:Authz Authentication Package:Kerberos Workstation Name:ComputerName Caller User Name:ComputerName$ Caller Domain:MPA Caller Logon ID:(0x0,0x3E7) Caller Process ID:1192 Transited Services:- Source Network Address:- Source Port:- In each event there is no User Name and the ComputerName, there are about four of them. The process ID is always equal to Svchost.exe. What I have checked is: Scheduled Tasks (none with user account) Logged on seasons local/TS/RDP (none) Network Attachments (mapped drives) I did find one interesting bit of information about Exchange 2003: http://support.microsoft.com/kb/278966 This has to do with the msExchMasterAccountSID and the Associated External Account permission. Following the steps outlined here has reduced the amount of attemps/events that we are getting. But, I am looking to put an end to these events. Simular events for exchange issues are these: Oct 20 10:16:56 msexchangeis[warning] 9548 Disabled user /O=CompanyName OU=OUName /cn=Recipients/cn=UserName does not have a master account SID. Please use Active Directory MMC to set an active account as this user's master account. For more information, click http://www.microsoft.com/contentredirect.asp. Oct 20 10:16:56 msexchangeis mailbox store[error] 1022 Logon Failure on database "First Storage Group\Mailbox Store (SERVERNAME)" - Windows 2000 account Domain\User; mailbox /O=CompanyName/OU=OU/cn=Recipients/cn=UserName. Error: -2147221231 For more information, click http://www.microsoft.com/contentredirect.asp. The second event shows Domain\User, which is the user that we assigned the email address of the disabled account. Any help or suggestions welcome, these alerts are keeping me up throughout the night. Thanks, Scott Donna, I have addressed the Public folder permissions and there was one location that was in question. Now I don't receive any of the MSEXCHANGE errors but, still I get the Event ID 531 "Account currently disabled". I am still looking into the Exchange portion. Thanks for the advice, Scott > Hi Scott, > Try the possible solution in [quoted text clipped - 50 lines] > Thanks, > Scott |
Reply to this Message |
 Sign In
 Join
 My Latest Posts My Monitored Threads My Blog My Photo Gallery My Profile My Homepage Start New Thread Enable EMail Alerts Rate this Thread
|
©2010 Advenet LLC Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.