baxsoftreg
asked on
Locked out domain account
Hi, my W2k A.D. domain account gets locked out after I change the password every 30 days. I have checked this site for answers but nobody seems to be able to give a good solution on how to track down where the account is getting locked out from.
I have done the usual, deleted mapped drives, checked TS manager to see if my account is still logged onto a server, checked my services to see if I used my account to start one of them up and logged off my laptop and back on again but still my account gets locked out.
I would be grateful if anybody could provide a tool , script or some advise on how to track it down and stop it from locking my account.
I have done the usual, deleted mapped drives, checked TS manager to see if my account is still logged onto a server, checked my services to see if I used my account to start one of them up and logged off my laptop and back on again but still my account gets locked out.
I would be grateful if anybody could provide a tool , script or some advise on how to track it down and stop it from locking my account.
Yes, as stated above, you must enable the logging of these event's, and check on the domain contollers event log's. They keep track of what pc the request's are coming from- you'll want to log failures to make sure you don't get your log's too full too fast.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
-rich
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
-rich
ASKER
Hi, thank you both for your replies but I do have security logging enabled and e.g. it gives the below message. Now, I have checked that server and I am not logged onto it nor do I have any open sessions, I have even rebooted it but still my account get locked out........Help!!
"Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 11/03/2005
Time: 14:52:47
User: NT AUTHORITY\SYSTEM
Computer: DOMAIN CONTROLLER
Description:
The logon to account: USERNAME
by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
from workstation: XYZ
failed. The error code was: 3221225578"
"Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 11/03/2005
Time: 14:52:47
User: NT AUTHORITY\SYSTEM
Computer: DOMAIN CONTROLLER
Description:
The logon to account: USERNAME
by: MICROSOFT_AUTHENTICATION_P
from workstation: XYZ
failed. The error code was: 3221225578"
is 'XYZ' your machine?
The event's being reported from XYZ, that is your machine then?
http://support.microsoft.com/?kbid=837142 might be of some help...
http://support.microsoft.com/kb/273499
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q272594
Also I trust that this is an event log from Date: 11/03/2005
You have to make sure your system time is within 5 minutes + or - of the time of the domain controllers. kerbrose doesn't like to work with system times that are further off than that.
http://support.microsoft.com/?kbid=837142 might be of some help...
http://support.microsoft.com/kb/273499
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q272594
Also I trust that this is an event log from Date: 11/03/2005
You have to make sure your system time is within 5 minutes + or - of the time of the domain controllers. kerbrose doesn't like to work with system times that are further off than that.
once you check your times as per above, check if you have outlook in startup, outlook is known to cache the old password so when you change the password, it tries to give he old credentials to Exchange, and then the lockout policy kicks in.
have a look at this;
http://support.microsoft.com/?id=276541
have a look at this;
http://support.microsoft.com/?id=276541
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
tmehmet,
thanks, it did point me to the problem, a virus was somehow using my account and when I changed my password it started causing problems but overall, I think this is a one off as I have done all these searches before when accounts have been locked out and have been unable to successfully find the culprit. It would be great to have a tool to track the locked account for you. Anyway thanks.
Also, thanks Rich for your contribution.
thanks, it did point me to the problem, a virus was somehow using my account and when I changed my password it started causing problems but overall, I think this is a one off as I have done all these searches before when accounts have been locked out and have been unable to successfully find the culprit. It would be great to have a tool to track the locked account for you. Anyway thanks.
Also, thanks Rich for your contribution.
what was the virus, just so others can know for future reference.
cheers.
cheers.
ASKER
Believe it is NetDevil. It uses "Advapi" which can be used to impersonnate a user that has logged onto that machine. In the logs, you would see "Logon Process = Advapi" rather than "Logon Process = Kerberos"
thanks
thanks
Once you change your password, whatever is causing your account to fail on login and thus trigering account lockout should be in the log.
Check you AD security event logs.