Logon Failure event of a locked out account

I have SBS 2003 SP1. A tech that occasionally works on our server remotely
built an account called staff. When he doesn't need to use it I disable the
account, lock it out and change the password, but I keep getting this error
in groups of two or three. Should I be worried that someone is trying to
hack in?

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 6/25/2010
Time: 8:21:56 AM
User: NT AUTHORITY\SYSTEM
Computer: SCAPCADC
Description:
Logon Failure:
Reason: Account locked out
User Name: staff
Domain: SCAPCA
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SCAPCADC
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -


For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.

If it's always from the same computer (SCAPCADC) then something is probably
left connecting with a stored password (credentials).

If it's a different computer or that computer isn't under your control, then
you should be concerned.


Carl Gross wrote:
> I have SBS 2003 SP1. A tech that occasionally works on our server
> remotely built an account called staff. When he doesn't need to use
> it I disable the account, lock it out and change the password, but I
> keep getting this error in groups of two or three. Should I be
> worried that someone is trying to hack in?
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 539
> Date: 6/25/2010
> Time: 8:21:56 AM
> User: NT AUTHORITY\SYSTEM
> Computer: SCAPCADC
> Description:
> Logon Failure:
> Reason: Account locked out
> User Name: staff
> Domain: SCAPCA
> Logon Type: 3
> Logon Process: NtLmSsp
> Authentication Package: NTLM
> Workstation Name: SCAPCADC
> Caller User Name: -
> Caller Domain: -
> Caller Logon ID: -
> Caller Process ID: -
> Transited Services: -
> Source Network Address: -
> Source Port: -
>
>
> For more information, see Help and Support Center at
> http://go.microsoft.com/fwlink/events.asp.

--
/kj

look for a MAPPED Drive letter (manually Mapped)
on the system that the error is coming from and delete it.
(Set up Drive mappings in login script SBS2003)
or group Policy SBS2008
Russ

--
For Future SBS Related Questions Please post to
http://social.technet.microsoft.com/...server/threads
Or use the easy to remember http://www.SBSRepair.com (Redirect)
-------
Russell Grover - SBITS.Biz [SBS-MVP]
MCP, MCPS, MCNPS, SBSC
Remote Small Business Server/Computer Support - www.SBITS.Biz
BPOS - Microsoft Online Services - www.BPOSMadeEasy.com


"kj [SBS MVP]" <> wrote in message
news:...
> If it's always from the same computer (SCAPCADC) then something is
> probably left connecting with a stored password (credentials).
>
> If it's a different computer or that computer isn't under your control,
> then you should be concerned.
>
>
> Carl Gross wrote:
>> I have SBS 2003 SP1. A tech that occasionally works on our server
>> remotely built an account called staff. When he doesn't need to use
>> it I disable the account, lock it out and change the password, but I
>> keep getting this error in groups of two or three. Should I be
>> worried that someone is trying to hack in?
>>
>> Event Type: Failure Audit
>> Event Source: Security
>> Event Category: Logon/Logoff
>> Event ID: 539
>> Date: 6/25/2010
>> Time: 8:21:56 AM
>> User: NT AUTHORITY\SYSTEM
>> Computer: SCAPCADC
>> Description:
>> Logon Failure:
>> Reason: Account locked out
>> User Name: staff
>> Domain: SCAPCA
>> Logon Type: 3
>> Logon Process: NtLmSsp
>> Authentication Package: NTLM
>> Workstation Name: SCAPCADC
>> Caller User Name: -
>> Caller Domain: -
>> Caller Logon ID: -
>> Caller Process ID: -
>> Transited Services: -
>> Source Network Address: -
>> Source Port: -
>>
>>
>> For more information, see Help and Support Center at
>> http://go.microsoft.com/fwlink/events.asp.
>
> --
> /kj
>