Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3864
  • Last Modified:

Locked out domain account

Hi, my W2k A.D. domain account gets locked out after I change the password every 30 days. I have checked this site for answers but nobody seems to be able to give a good solution on how to track down where the account is getting locked out from.

I have done the usual, deleted mapped drives, checked TS manager to see if my account is still logged onto a server, checked my services to see if I used my account to start one of them up and logged off my laptop and back on again but still my account gets locked out.

I would be grateful if anybody could provide a tool , script or some advise on how to track it down and stop it from locking my account.
0
baxsoftreg
Asked:
baxsoftreg
  • 5
  • 3
  • 2
1 Solution
 
tmehmetCommented:
you need to enable security logging for your event logs.

Once you change your password, whatever is causing your account to fail on login and thus trigering account lockout should be in the log.

Check you AD security event logs.
0
 
Rich RumbleSecurity SamuraiCommented:
Yes, as stated above, you must enable the logging of these event's, and check on the domain contollers event log's. They keep track of what pc the request's are coming from- you'll want to log failures to make sure you don't get your log's too full too fast.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logonoff.mspx
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/monitor/logevnts.mspx
-rich
0
 
baxsoftregAuthor Commented:
Hi, thank you both for your replies but I do have security logging enabled and e.g. it gives the below message. Now, I have checked that server and I am not logged onto it nor do I have any open sessions, I have even rebooted it but still my account get locked out........Help!!

"Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      681
Date:            11/03/2005
Time:            14:52:47
User:            NT AUTHORITY\SYSTEM
Computer:      DOMAIN CONTROLLER
Description:
The logon to account: USERNAME
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: XYZ
 failed. The error code was: 3221225578"
 
0
Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

 
tmehmetCommented:
is 'XYZ' your machine?
0
 
Rich RumbleSecurity SamuraiCommented:
The event's being reported from XYZ, that is your machine then?
http://support.microsoft.com/?kbid=837142 might be of some help...
http://support.microsoft.com/kb/273499
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q272594

Also I trust that this is an event log from Date:  11/03/2005
You have to make sure your system time is within 5 minutes + or - of the time of the domain controllers. kerbrose doesn't like to work with system times that are further off than that.
0
 
tmehmetCommented:
once you check your times as per above, check if you have outlook in startup, outlook is known to cache the old password so when you change the password, it tries to give he old credentials to Exchange, and then the lockout policy kicks in.

have a look at this;

http://support.microsoft.com/?id=276541

0
 
tmehmetCommented:
there should be logs on the workstation XYZ, if it did attempt to connect and failed, it should have recorded it (assuming auditing is enabled). this may also give a clue as to the problem.
0
 
baxsoftregAuthor Commented:
tmehmet,
thanks, it did point me to the problem, a virus was somehow using my account and when I changed my password it started causing problems but overall, I think this is a one off as I have done all these searches before when accounts have been locked out and have been unable to successfully find the culprit. It would be great to have a tool to track the locked account for you. Anyway thanks.

Also, thanks Rich for your contribution.
0
 
tmehmetCommented:
what was the virus, just so others can know for future reference.

cheers.
0
 
baxsoftregAuthor Commented:
Believe it is NetDevil. It uses "Advapi" which can be used to impersonnate a user that has logged onto that machine. In the logs, you would see "Logon Process = Advapi" rather than "Logon Process = Kerberos"

thanks
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 5
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now