asked on

Locked out domain account

Hi, my W2k A.D. domain account gets locked out after I change the password every 30 days. I have checked this site for answers but nobody seems to be able to give a good solution on how to track down where the account is getting locked out from.

I have done the usual, deleted mapped drives, checked TS manager to see if my account is still logged onto a server, checked my services to see if I used my account to start one of them up and logged off my laptop and back on again but still my account gets locked out.

I would be grateful if anybody could provide a tool , script or some advise on how to track it down and stop it from locking my account.

tmehmet

you need to enable security logging for your event logs.

Once you change your password, whatever is causing your account to fail on login and thus trigering account lockout should be in the log.

Check you AD security event logs.

Rich Rumble

Yes, as stated above, you must enable the logging of these event's, and check on the domain contollers event log's. They keep track of what pc the request's are coming from- you'll want to log failures to make sure you don't get your log's too full too fast.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
-rich

baxsoftreg

ASKER

Hi, thank you both for your replies but I do have security logging enabled and e.g. it gives the below message. Now, I have checked that server and I am not logged onto it nor do I have any open sessions, I have even rebooted it but still my account get locked out........Help!!

"Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      681
Date:            11/03/2005
Time:            14:52:47
User:            NT AUTHORITY\SYSTEM
Computer:      DOMAIN CONTROLLER
Description:
The logon to account: USERNAME
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: XYZ
failed. The error code was: 3221225578"

tmehmet

is 'XYZ' your machine?

Rich Rumble

The event's being reported from XYZ, that is your machine then?
http://support.microsoft.com/?kbid=837142 might be of some help...
http://support.microsoft.com/kb/273499
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q272594

Also I trust that this is an event log from Date: 11/03/2005
You have to make sure your system time is within 5 minutes + or - of the time of the domain controllers. kerbrose doesn't like to work with system times that are further off than that.

tmehmet

once you check your times as per above, check if you have outlook in startup, outlook is known to cache the old password so when you change the password, it tries to give he old credentials to Exchange, and then the lockout policy kicks in.

have a look at this;

http://support.microsoft.com/?id=276541

ASKER CERTIFIED SOLUTION

tmehmet

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial

baxsoftreg

ASKER

tmehmet,
thanks, it did point me to the problem, a virus was somehow using my account and when I changed my password it started causing problems but overall, I think this is a one off as I have done all these searches before when accounts have been locked out and have been unable to successfully find the culprit. It would be great to have a tool to track the locked account for you. Anyway thanks.

Also, thanks Rich for your contribution.

tmehmet

what was the virus, just so others can know for future reference.

cheers.

baxsoftreg

ASKER

Believe it is NetDevil. It uses "Advapi" which can be used to impersonnate a user that has logged onto that machine. In the logs, you would see "Logon Process = Advapi" rather than "Logon Process = Kerberos"

thanks