Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Type: Failure Audit|
Reason: Account locked out
User Name: <user name>
Domain: <domain name>
Logon Type: 3
Logon Process: Advapi
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Workstation Name: <computer name>
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is an authentication protocol?
As per Microsoft: "A user tried to log on to the system using an account that is locked out. A large number of these events logged in Event Viewer usually indicate that a service account password is configured incorrectly or a program password does not match the password on the server". See MSW2KDB for details.
See ME171148, ME182918 and ME922730 for additional information about this event.
ME174073 is also very helpful in troubleshooting this event and other audit failures in general.
See ME287639, ME263821 and ME264678. Service Pack 3 for Win2k should fix this problem.
The types of successful logon types are:
Type 2 : Console logon - interactive from the computer console.
Type 3 : Network logon - network mapping (net use/net view).
Type 4 : Batch logon - scheduler.
Type 5 : Service logon - service uses an account.
Type 7 : Unlock Workstation.
Type 0 & 1 are not used and Type 6 is listed as a proxy logon but I do not know what that is. The Logon Type 3 events indicate a network logon event. A successful Net Use or File Manager connection or a successful Net View to a share generates Event ID 528. An event is generated by the initial connection from a particular user. Later Net Uses or Net Views by that a user from the same computer do not generate additional events unless the user has been disconnected.
This events indicates a logon attempt for a locked account (The account was locked out at the time the logon attempt was made). This event can (but not necessarely) indicate that a password attack was launched unsuccessfully resulting in the account being locked out.
If the acccount is SMSCliToknAcct&, see ME299352.
|Private comment: Subscribers only. See example of private comment|
|Links: ME171148, ME174073, ME174074, ME182918, ME263821, ME264678, ME287639, ME299352, ME922730, Online Analysis of Security Event Log, MSW2KDB|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (1) - More links...|
Send comments or solutions
- Notify me when updated