Logon Logoff Event: 531

Active Directory Auditing Tool

The Who, Where and When information is very important for an administrator to have complete knowledge of all activities that occur on their Active Directory. This helps them identify any desired / undesired activity happening. ADAudit Plus assists an administrator with this information in the form of reports. In real-time, ensure critical resources in the network like the Domain Controllers are audited, monitored and reported with the entire information on AD objects - Users, Groups, GPO, Computer, OU, DNS, AD Schema and Configuration changes with 200+ detailed event specific GUI reports and email alerts.

Logon Logoff » Logon Logoff Event: 531

Event ID 531 – Logon Failure: Account Currently Disabled

Event ID 531
Category Logon/Logoff
Type Failure Audit
Description Logon failure – Account currently disabled

When a user attempts to log on to a workstation or server with a disabled account, event 531 is generated. This event is also registered on workstations and servers when a user attempts to logon using a local SAM or domain account. This particular action will also trigger a corresponding failure event in the Account Logon category.

This log data provides the following information:

  • User Name
  • Domain
  • Logon Type
  • Logon Process
  • Authentication Package
  • Workstation Name

Additionally, in Windows Server 2003, the following information is also made available:

  • Caller User Name
  • Caller Domain
  • Caller Logon ID
  • Caller Process ID
  • Transited Services
  • Source Network Address
  • Source Port

Why does event ID 531 need to be monitored?

  • To detect brute-force, dictionary, and other password guess attacks.
  • To detect abnormal and possibly malicious internal activity.
  • To come up with a benchmark for the account lockout threshold policy.
  • To ensure compliance with regulatory mandates.

Pro Tip:

With in-depth reports, real-time alerts, and graphical displays, ADAudit Plus tracks logon failures, helping you meet your security, operational, and compliance needs with absolute ease.

Event 531 applies to the following operating systems:

  • Windows Server 2000
  • Windows 2003 and XP

Corresponding event ID in Windows 2008 and Windows Vista is 4625.

Explore Active Directory auditing and reporting with ADAudit Plus.

  •  
  •  
  •  
  • By clicking 'Schedule a personalized demo' you agree to processing of personal data according to the Privacy Policy.
Account Management Auditing
Active Directory Auditing
Windows Server Auditing