?
Solved

Help, Account keeps getting locked out. How to trace what services a username is tied too?

Posted on 2006-05-22
32
Medium Priority
?
72,235 Views
Last Modified: 2012-10-06
Hey all, here is my situation.

My user account has recently changed its password. All of a sudden I keep getting my account locked out every 5 minutes. I have searched all 200 servers services to see if i am tied to any service with my username but with no success have i had any leads. Maybe i have overlooked something but my question is, how can i find out if my account is tied to any services? Are there any utilities that will scan servers by username and report any services that may use that account name? I am breaking my head over this and i feel like i am overlooking something ridiculous..... My event logs look like this:

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            5/22/2006
Time:            3:54:43 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SV000DC1
Description:
Pre-authentication failed:
       User Name:      JOmar
       User ID:            BKUNA\JOmar
       Service Name:      krbtgt/bkuna.com
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      127.0.0.1


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            5/22/2006
Time:            3:54:43 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SV000DC1
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      jomar
 Source Workstation:      SV000DC1
 Error Code:      0xC0000234


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            5/22/2006
Time:            3:54:43 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SV000DC1
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      jomar
       Domain:      bkuna.com
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      SV000DC1
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      -
       Source Port:      -


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:kraven1388
  • 8
  • 8
  • 6
  • +7
29 Comments
 
LVL 1

Expert Comment

by:elitehaxor
ID: 16737630
Is security Audit logging enabled on all domain controllers? if so check the security logs to see what server or workstation is trying to use that account,
that should narrow it down

Cheers
Clint
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16737659
Hi kraven1388,

The source Workstation Name is SV000DC1 then you should check the services in this DC. Also check if you have scheduled  tasks running under your username and if you have installed a program who ask you to type your credentials (downloaders, proxies)

cheers
0
 
LVL 13

Expert Comment

by:Kini pradeep
ID: 16737912
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 70

Expert Comment

by:Merete
ID: 16740530
Event ID 539  When a user has a disabled account or is locked out, the system logs event ID 531 and event ID 539, respectively. When a user tries to log on outside the domain. The exchange server and domain user id's/passwords nolonger match.
http://www.ultimatewindowssecurity.com/encyclopedia.html

This event is logged on the workstation or server where the user failed to logon. To determine if the user was present at this computer or elsewhere on the network,  This event is only logged on domain controllers when a user fails to logon to the DC itself such at the console or through failure to connect to a shared folder. On workstations and servers.

This event could be generated by a an attempt to logon with a domain or local SAM account. If a local SAM account, there will be a corresponding failure event from the Account Logon category.
To identify the source of network logon failures check the Workstation Name and Source Network Address fields.
Logon Process and Authentication Package will vary according to the type of logon and authentication protocol used.

0
 

Expert Comment

by:JamesMyler
ID: 16741225
For A Services Tool Try Service Account Manager from Libermann and Associates. This will show all services and allow sorting by service login. If your problem is a service running with your login this will simplify the task of finding it.
0
 

Author Comment

by:kraven1388
ID: 16742286
I wish it were that easy guys. I have scanned all services and event logs pertaining to my username on server SV000DC1 and nothing to avail.

That server only runs script logic and acts as point of authentication for our domain. Nothing else.

there are no 3rd party applications or anything installed on this machine, i even checked the one scheduled task that we have running and it is using a completeley different domain account, actually a service account so that rules that idea out. This is the wierdest thing i have seen, and its driving me crazy. The minute i unlock my account it is relocked within 1 minute.... something is constantly trying to run for some reason........ at some points ill get a good 5 minutes without my account getting locked....

any more ideas??

Thanks.
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16742552
If you turn off your workstation/laptop/pda your account still get locked?

cheers
0
 

Author Comment

by:kraven1388
ID: 16742742
I just reformatted my personal laptop to make sure i had nothing running on there. I also rebooted the server SV000DC1.........

0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16743057
Just to narrow the search use Eventcombmt.exe (searches event logs on multiple DCs/Servers and collects EventID records matching the specified criteria) from the Resource Kit. Look for event codes related to Account Logon and try to determine the source of your logon attempts.

cheers
0
 
LVL 25

Expert Comment

by:SStory
ID: 16743533
Someone trying to hack your computer?
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16744100
This can often be caused by old user credentials being used from a user still logged onto another
computer with old credentials - possibly TERMINAL SERVER.

cheers
0
 
LVL 70

Expert Comment

by:Merete
ID: 16747523
Also this may occur if you've changed your password while you have another machine currently logged on with the same userid but the old password. The account will continue to lock out until all machines using the same userid are logged out.

The security log on your domain controller should tell you which pc it
is. Do you have some application like a mail checker that is trying to
log in with your old password by chance?


You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one
http://www.sysinternals.com/Utilities/PsLoggedOn.html

0
 
LVL 70

Expert Comment

by:Merete
ID: 16747530
Can you log onto safemode and see if it still happens.
What about creating a new account.
0
 

Author Comment

by:kraven1388
ID: 16754704
Still at it, i am about to try the pstools from sysinternals....

I can create a new account, but i don't want to go that route. i want to know where im screwing up :(
0
 
LVL 10

Accepted Solution

by:
Walter Padrón earned 1000 total points
ID: 16754890
Disable your account, if a service is running under your account you will know ;)

Do you read my post about terminal server sessions?

cheers
0
 

Author Comment

by:kraven1388
ID: 16755917
WPadron,

Thanks for the terminal sessions advice, im using psloggedon and its telling me all the servers the account is remotley connected on, from there ill use TSManager to view the machine and surely i have found a few already. I have appx 2000 workstations and 200 servers to go through so its going to be a while for this to finish. Ill keep you posted.

I was thinking of disabling the account but i havn't had a chance yet............ ill let u know.
0
 
LVL 70

Expert Comment

by:Merete
ID: 16757839
good luck. Look forward to your updates
0
 

Author Comment

by:kraven1388
ID: 16798309
No success as of yet guys... 05.31.06
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16798540
Hi kraven1388,

Download and install Lockout Status
http://www.microsoft.com/downloads/details.aspx?FamilyID=d1a5ed1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en

do a search on your account and check the "Last Bad Pwd" column, this will narrow your search to a few DCs and a Site.

cheers
0
 

Author Comment

by:kraven1388
ID: 16799175
Wpadron,

Thanks for your continued support on this. i really do appreciate it.

I have been using account lockout status and i keep getting last bad pwd on SV000DC1 and it reports to all dc's that it comes from this server as well.... :(
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16799887
IF YOU CAN, turn off SV000DC1.

If the account continues to get locked
   then the problem is on another computer in this Site
   else the problem is a service/program on SV000DC1

cheers
0
 
LVL 10

Expert Comment

by:Walter Padrón
ID: 16852959
0
 
LVL 70

Assisted Solution

by:Merete
Merete earned 1000 total points
ID: 16859378
Hello kraven1388 no success yet? Ok I started thinking about your problem and what suggestions you have tried, I remember seeing problems with password issues happen if you are running windows OEM and the regestry becomes corrupted, windows98 used to have this problem quite often a corrupted password. Were you connected to the server at all times?
As you mentioned here>> just reformatted my personal laptop to make sure i had nothing running on there. I also rebooted the server SV000DC1.........
So based on this I donot know if your running an OEM xp but I imagine you maybe. If you used an OEM to recover your hdd the system hive on OEM installations creates passwords and user accounts that did not exist previously.
http://support.microsoft.com/kb/307545/

Are you the default profile on your Laptop?

So I am wondering do you have to create a new account on both your Laptop and the server to match? Or have you already re-careted your acount after formatting?

Create a duplicate user profile with a different name

Create a new user account

Logon to that account to initialize the newly created profile

Log off from the newly created profile

Login as built-in Administrator

Open Control Panel System applet

Click the Advanced tab

Click Settings under User Profiles

Select a profile to copy from and choose Copy To

Browse to the profile to copy to (C:\Documents and Settings\username)

A new profile is now created which is the duplicate of your user profile.

How to create a custom default user profile
http://support.microsoft.com/default.aspx?kbid=319974

To delete a user profile
You must be logged on as an administrator or a member of the Administrators group in order to complete this procedure. If your computer is connected to a network, network policy settings may also prevent you from completing this procedure.

 Open System in Control Panel.
 On the Advanced tab, under User Profiles, click Settings.
 Under Profiles stored on this computer, click the user profile you want to delete, and then click Delete.
 To open System, click Start, click Control Panel, click Performance and Maintenance, and then click System.
 
0
 
LVL 70

Expert Comment

by:Merete
ID: 16859404
Mosing around EE I came across this unfortunately the asker never returned but it seems to be similar to your lockout.

Comment from  EE Joseph_Moore.  hope he doesnt mind sharing his post dont think so as thats why we are all here.
Event ID 529 is typically the normal logon failure message that you will see when someone types in their password incorrectly, or spells their username wrong.
Event ID 681 normally tells you that a user account has hit the Account Lockout threshold (for wrong password attempts) in trying to access something, and the account is now locked.
And Event ID 560 is a failed record of someone trying to access an audited folder/file, but the user account either doesn't have access to the folder/file, or something else prevented the user from accessing the folder/file.

Now, specifics, again from bottom-up.
The 529 is on this machine NT111B. Is this a IIS web server? It looks like it is (based off a few things in the error messages). The "Advapi" logon process has this rather cryptic definition:  " Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)." That came from this Technet article:
http://support.microsoft.com/?kbid=326985

A description on a JSI.com page states that :
"advapi"
API call to LogonUser

This is all logon/authentication functionality that, from what I have read in several places, is used by IIS for basic authentication (clear text). This is different from a user logging into a workstation (that runs under Winlogon). This is just another type of logon/authentication, but it is used with IIS and Exchange. Ok.
I bet you have a bunch of 529 errors, all like this, right?

Next, the 681. This tells you that the user account "service_password=" has reached the lockout threshold and is no longer available for use. There is probably just 1 of these errors. The lockout occurred FROM the machinename NT111B (this web server). So, it is from this web server that it locked out the account name listed above. This is where the lockouts are originating. And the error code listed has this meaning:  User logon with misspelled or bad user account.
So, there is no valid user account on NT111B called "service_password="
Here's an article on 681 errors:
http://support.microsoft.com/?kbid=273499

Then last, the 560 message. Looks like the IIS process user account, IUSR_NT111B, which is only valid on the IIS box itself, tried to make a call to the list of running Services on the machine (the ServicesActive object name), but this failed. I don't think the IUSR account would be able to do something like this. Well, since you have at least Failed Object Access being audited on the IIS web server, that is why you got this message.

So, the whole point to this is that yes, someone was trying to hack you, to hack your IIS process. It looks like they weren't entirely successful. I would still, at this point, examine the whole server for anything else that looks weird. Check for new files, just in case they were successful at something else. The fact that they got the IUSR account to try and query the running services is interesting, as that sounds like they were able to gain some sort of access.

Is this an NT4 machine, with the IIS Option Pack enabled? Is it up-to-date on patches?
But yes, someone was definately attacking it.
0
 
LVL 70

Expert Comment

by:Merete
ID: 16859412
from here:
 if you feel the same that this does look similar, included here is the asker events logs, it may pay to compare them to yours.
http://www.experts-exchange.com/Security/Win_Security/Q_20903608.html
0
 
LVL 70

Expert Comment

by:Merete
ID: 17096761
Thank you, would have been nice to know his outcome.
Regards Merete
0
 

Expert Comment

by:derlenbusch
ID: 30864309
I have the same problem now and don't know how to fix it.
0
 

Expert Comment

by:jimjam77
ID: 33512245
I have had the same issue where a staff members account would lock up after 5-10mins. (Account locked out in active dir)

We found out that it was an old Nokia Mobile which was turned on and given to another member of staff as a loan phone. This phone (e class) had Mail 4 exchange on it and with the SIM inserted was trying to sync with the mail account on the exchange server and with an old password was locking the account out.

Hope this helps anybody else.

Cheers
0
 

Expert Comment

by:joseph_altman
ID: 34651296
psloggedon.exe!!! Great tool for this kind of issue
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

#Citrix #POC #XenDesktop #vCenter #VMware #ESX
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Hi friends,  in this video  I'll show you how new windows 10 user can learn the using of windows 10. Thank you.
Suggested Courses

862 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question