Event Id | 531 |
Source | Netlogon |
Description | Logon failure. A logon attempt was made using a disabled account. |
Event Information | " According to Microsoft : CAUSE This section describes some of the common causes for account lockouts The common troubleshooting steps and resolutions for account lockouts are also described in this section. To avoid false lockouts, check each computer on which a lockout occurred RESOLUTION In an environment where you set the account lockout feature, you may notice a large number of lockouts that occur. To determine if these lockouts are false lockouts or a real attack: 1. Verify that the domain controllers and client computers are up-to-date with service packs and hotfixes. For more information, see the ""Recommended Service Packs and Hotfixes"" section in this document. 2. Configure your computers to capture data: 1. Enable auditing at the domain level. 2. Enable Netlogon logging. 3. Enable Kerberos logging. 3. Analyze data from the Security event log files and the Netlogon log files to help you determine where the lockouts are occurring and why. 4. Analyze the event logs on the computer that is generating the account lockouts to determine the cause. For more information, see the Account Lockout Tools section in this document" |
Reference Links | More Information |
Catch threats immediately
We work side-by-side with you to rapidly detect cyberthreats
and thwart attacks before they cause damage.