Event ID - 531

Event Id531
SourceNetlogon
DescriptionLogon failure. A logon attempt was made using a disabled account.
Event Information" According to Microsoft :

CAUSE


This section describes some of the common causes for account lockouts The common troubleshooting steps and resolutions for account lockouts are also described in this section.
To avoid false lockouts, check each computer on which a lockout occurred

RESOLUTION

In an environment where you set the account lockout feature, you may notice a large number of lockouts that occur. To determine if these lockouts are false lockouts or a real attack:

1. Verify that the domain controllers and client computers are up-to-date with service packs and hotfixes. For more information, see the ""Recommended Service Packs and Hotfixes"" section in this document.
2. Configure your computers to capture data:

1. Enable auditing at the domain level.
2. Enable Netlogon logging.
3. Enable Kerberos logging.

3. Analyze data from the Security event log files and the Netlogon log files to help you determine where the lockouts are occurring and why.
4. Analyze the event logs on the computer that is generating the account lockouts to determine the cause.
For more information, see the Account Lockout Tools section in this document"
Reference LinksMore Information

Catch threats immediately

We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.

See what we caught

Did this information help you to resolve the problem?

Yes: My problem was resolved.
No: The information was not helpful / Partially helpful.