Event ID 530 – Logon Failure: Account Logon Time Restriction Violation
|Description||Logon failure — Account logon time restriction violation|
Event 530 is generated when a user attempts to logon to a workstation or server during non-business hours (outside the hour/day/week time restrictions that are set for that account). This event is generated on the same server or workstation where the user tried to logon. When the user fails to log onto the domain controller, the event is once again generated.
This event is generated only when the logon attempt is made with a domain account. This does not hold good for local accounts which have no time restrictions.
This log data provides the following information:
- User Name
- Logon Type
- Logon Process
- Authentication Package
- Workstation Name
Additionally, in Windows Server 2003, the following information is also made available:
- Caller User Name
- Caller Domain
- Caller Logon ID
- Caller Process ID
- Transited Services
- Source Network Address
- Source Port
Why does event ID 530 need to be monitored?
- To detect brute-force, dictionary, and other password guess attacks.
- To detect abnormal and possibly malicious internal activity.
- To come up with a benchmark for the account lockout threshold policy.
- To ensure compliance with regulatory mandates.
ADAudit Plus can identify whether any user who has a 'logon hour restriction' is trying to access the systems during non-business, prohibited hours and provide real-time alerts.
Event 530 applies to the following operating systems:
- Windows Server 2000
- Windows 2003 and XP
Corresponding event ID in Windows 2008 and Vista is 4625.