kraven1388
asked on
Help, Account keeps getting locked out. How to trace what services a username is tied too?
Hey all, here is my situation.
My user account has recently changed its password. All of a sudden I keep getting my account locked out every 5 minutes. I have searched all 200 servers services to see if i am tied to any service with my username but with no success have i had any leads. Maybe i have overlooked something but my question is, how can i find out if my account is tied to any services? Are there any utilities that will scan servers by username and report any services that may use that account name? I am breaking my head over this and i feel like i am overlooking something ridiculous..... My event logs look like this:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 5/22/2006
Time: 3:54:43 PM
User: NT AUTHORITY\SYSTEM
Computer: SV000DC1
Description:
Pre-authentication failed:
User Name: JOmar
User ID: BKUNA\JOmar
Service Name: krbtgt/bkuna.com
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: 127.0.0.1
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 5/22/2006
Time: 3:54:43 PM
User: NT AUTHORITY\SYSTEM
Computer: SV000DC1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P ACKAGE_V1_ 0
Logon account: jomar
Source Workstation: SV000DC1
Error Code: 0xC0000234
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 5/22/2006
Time: 3:54:43 PM
User: NT AUTHORITY\SYSTEM
Computer: SV000DC1
Description:
Logon Failure:
Reason: Account locked out
User Name: jomar
Domain: bkuna.com
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SV000DC1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
My user account has recently changed its password. All of a sudden I keep getting my account locked out every 5 minutes. I have searched all 200 servers services to see if i am tied to any service with my username but with no success have i had any leads. Maybe i have overlooked something but my question is, how can i find out if my account is tied to any services? Are there any utilities that will scan servers by username and report any services that may use that account name? I am breaking my head over this and i feel like i am overlooking something ridiculous..... My event logs look like this:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 5/22/2006
Time: 3:54:43 PM
User: NT AUTHORITY\SYSTEM
Computer: SV000DC1
Description:
Pre-authentication failed:
User Name: JOmar
User ID: BKUNA\JOmar
Service Name: krbtgt/bkuna.com
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: 127.0.0.1
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 5/22/2006
Time: 3:54:43 PM
User: NT AUTHORITY\SYSTEM
Computer: SV000DC1
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: jomar
Source Workstation: SV000DC1
Error Code: 0xC0000234
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 5/22/2006
Time: 3:54:43 PM
User: NT AUTHORITY\SYSTEM
Computer: SV000DC1
Description:
Logon Failure:
Reason: Account locked out
User Name: jomar
Domain: bkuna.com
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SV000DC1
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: -
Source Port: -
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Hi kraven1388,
The source Workstation Name is SV000DC1 then you should check the services in this DC. Also check if you have scheduled tasks running under your username and if you have installed a program who ask you to type your credentials (downloaders, proxies)
cheers
The source Workstation Name is SV000DC1 then you should check the services in this DC. Also check if you have scheduled tasks running under your username and if you have installed a program who ask you to type your credentials (downloaders, proxies)
cheers
Event ID 539 When a user has a disabled account or is locked out, the system logs event ID 531 and event ID 539, respectively. When a user tries to log on outside the domain. The exchange server and domain user id's/passwords nolonger match.
http://www.ultimatewindowssecurity.com/encyclopedia.html
This event is logged on the workstation or server where the user failed to logon. To determine if the user was present at this computer or elsewhere on the network, This event is only logged on domain controllers when a user fails to logon to the DC itself such at the console or through failure to connect to a shared folder. On workstations and servers.
This event could be generated by a an attempt to logon with a domain or local SAM account. If a local SAM account, there will be a corresponding failure event from the Account Logon category.
To identify the source of network logon failures check the Workstation Name and Source Network Address fields.
Logon Process and Authentication Package will vary according to the type of logon and authentication protocol used.
http://www.ultimatewindowssecurity.com/encyclopedia.html
This event is logged on the workstation or server where the user failed to logon. To determine if the user was present at this computer or elsewhere on the network, This event is only logged on domain controllers when a user fails to logon to the DC itself such at the console or through failure to connect to a shared folder. On workstations and servers.
This event could be generated by a an attempt to logon with a domain or local SAM account. If a local SAM account, there will be a corresponding failure event from the Account Logon category.
To identify the source of network logon failures check the Workstation Name and Source Network Address fields.
Logon Process and Authentication Package will vary according to the type of logon and authentication protocol used.
For A Services Tool Try Service Account Manager from Libermann and Associates. This will show all services and allow sorting by service login. If your problem is a service running with your login this will simplify the task of finding it.
ASKER
I wish it were that easy guys. I have scanned all services and event logs pertaining to my username on server SV000DC1 and nothing to avail.
That server only runs script logic and acts as point of authentication for our domain. Nothing else.
there are no 3rd party applications or anything installed on this machine, i even checked the one scheduled task that we have running and it is using a completeley different domain account, actually a service account so that rules that idea out. This is the wierdest thing i have seen, and its driving me crazy. The minute i unlock my account it is relocked within 1 minute.... something is constantly trying to run for some reason........ at some points ill get a good 5 minutes without my account getting locked....
any more ideas??
Thanks.
That server only runs script logic and acts as point of authentication for our domain. Nothing else.
there are no 3rd party applications or anything installed on this machine, i even checked the one scheduled task that we have running and it is using a completeley different domain account, actually a service account so that rules that idea out. This is the wierdest thing i have seen, and its driving me crazy. The minute i unlock my account it is relocked within 1 minute.... something is constantly trying to run for some reason........ at some points ill get a good 5 minutes without my account getting locked....
any more ideas??
Thanks.
If you turn off your workstation/laptop/pda your account still get locked?
cheers
cheers
ASKER
I just reformatted my personal laptop to make sure i had nothing running on there. I also rebooted the server SV000DC1.........
Just to narrow the search use Eventcombmt.exe (searches event logs on multiple DCs/Servers and collects EventID records matching the specified criteria) from the Resource Kit. Look for event codes related to Account Logon and try to determine the source of your logon attempts.
cheers
cheers
Someone trying to hack your computer?
This can often be caused by old user credentials being used from a user still logged onto another
computer with old credentials - possibly TERMINAL SERVER.
cheers
computer with old credentials - possibly TERMINAL SERVER.
cheers
Also this may occur if you've changed your password while you have another machine currently logged on with the same userid but the old password. The account will continue to lock out until all machines using the same userid are logged out.
The security log on your domain controller should tell you which pc it
is. Do you have some application like a mail checker that is trying to
log in with your old password by chance?
You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one
http://www.sysinternals.com/Utilities/PsLoggedOn.html
The security log on your domain controller should tell you which pc it
is. Do you have some application like a mail checker that is trying to
log in with your old password by chance?
You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one
http://www.sysinternals.com/Utilities/PsLoggedOn.html
Can you log onto safemode and see if it still happens.
What about creating a new account.
What about creating a new account.
ASKER
Still at it, i am about to try the pstools from sysinternals....
I can create a new account, but i don't want to go that route. i want to know where im screwing up :(
I can create a new account, but i don't want to go that route. i want to know where im screwing up :(
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
WPadron,
Thanks for the terminal sessions advice, im using psloggedon and its telling me all the servers the account is remotley connected on, from there ill use TSManager to view the machine and surely i have found a few already. I have appx 2000 workstations and 200 servers to go through so its going to be a while for this to finish. Ill keep you posted.
I was thinking of disabling the account but i havn't had a chance yet............ ill let u know.
Thanks for the terminal sessions advice, im using psloggedon and its telling me all the servers the account is remotley connected on, from there ill use TSManager to view the machine and surely i have found a few already. I have appx 2000 workstations and 200 servers to go through so its going to be a while for this to finish. Ill keep you posted.
I was thinking of disabling the account but i havn't had a chance yet............ ill let u know.
good luck. Look forward to your updates
ASKER
No success as of yet guys... 05.31.06
Hi kraven1388,
Download and install Lockout Status
http://www.microsoft.com/downloads/details.aspx?FamilyID=d1a5ed1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en
do a search on your account and check the "Last Bad Pwd" column, this will narrow your search to a few DCs and a Site.
cheers
Download and install Lockout Status
http://www.microsoft.com/downloads/details.aspx?FamilyID=d1a5ed1d-cd55-4829-a189-99515b0e90f7&DisplayLang=en
do a search on your account and check the "Last Bad Pwd" column, this will narrow your search to a few DCs and a Site.
cheers
ASKER
Wpadron,
Thanks for your continued support on this. i really do appreciate it.
I have been using account lockout status and i keep getting last bad pwd on SV000DC1 and it reports to all dc's that it comes from this server as well.... :(
Thanks for your continued support on this. i really do appreciate it.
I have been using account lockout status and i keep getting last bad pwd on SV000DC1 and it reports to all dc's that it comes from this server as well.... :(
IF YOU CAN, turn off SV000DC1.
If the account continues to get locked
then the problem is on another computer in this Site
else the problem is a service/program on SV000DC1
cheers
If the account continues to get locked
then the problem is on another computer in this Site
else the problem is a service/program on SV000DC1
cheers
Implementing and Troubleshooting Account Lockout
http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html
cheers
http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html
cheers
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Mosing around EE I came across this unfortunately the asker never returned but it seems to be similar to your lockout.
Comment from EE Joseph_Moore. hope he doesnt mind sharing his post dont think so as thats why we are all here.
Event ID 529 is typically the normal logon failure message that you will see when someone types in their password incorrectly, or spells their username wrong.
Event ID 681 normally tells you that a user account has hit the Account Lockout threshold (for wrong password attempts) in trying to access something, and the account is now locked.
And Event ID 560 is a failed record of someone trying to access an audited folder/file, but the user account either doesn't have access to the folder/file, or something else prevented the user from accessing the folder/file.
Now, specifics, again from bottom-up.
The 529 is on this machine NT111B. Is this a IIS web server? It looks like it is (based off a few things in the error messages). The "Advapi" logon process has this rather cryptic definition: " Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)." That came from this Technet article:
http://support.microsoft.com/?kbid=326985
A description on a JSI.com page states that :
"advapi"
API call to LogonUser
This is all logon/authentication functionality that, from what I have read in several places, is used by IIS for basic authentication (clear text). This is different from a user logging into a workstation (that runs under Winlogon). This is just another type of logon/authentication, but it is used with IIS and Exchange. Ok.
I bet you have a bunch of 529 errors, all like this, right?
Next, the 681. This tells you that the user account "service_password=" has reached the lockout threshold and is no longer available for use. There is probably just 1 of these errors. The lockout occurred FROM the machinename NT111B (this web server). So, it is from this web server that it locked out the account name listed above. This is where the lockouts are originating. And the error code listed has this meaning: User logon with misspelled or bad user account.
So, there is no valid user account on NT111B called "service_password="
Here's an article on 681 errors:
http://support.microsoft.com/?kbid=273499
Then last, the 560 message. Looks like the IIS process user account, IUSR_NT111B, which is only valid on the IIS box itself, tried to make a call to the list of running Services on the machine (the ServicesActive object name), but this failed. I don't think the IUSR account would be able to do something like this. Well, since you have at least Failed Object Access being audited on the IIS web server, that is why you got this message.
So, the whole point to this is that yes, someone was trying to hack you, to hack your IIS process. It looks like they weren't entirely successful. I would still, at this point, examine the whole server for anything else that looks weird. Check for new files, just in case they were successful at something else. The fact that they got the IUSR account to try and query the running services is interesting, as that sounds like they were able to gain some sort of access.
Is this an NT4 machine, with the IIS Option Pack enabled? Is it up-to-date on patches?
But yes, someone was definately attacking it.
Comment from EE Joseph_Moore. hope he doesnt mind sharing his post dont think so as thats why we are all here.
Event ID 529 is typically the normal logon failure message that you will see when someone types in their password incorrectly, or spells their username wrong.
Event ID 681 normally tells you that a user account has hit the Account Lockout threshold (for wrong password attempts) in trying to access something, and the account is now locked.
And Event ID 560 is a failed record of someone trying to access an audited folder/file, but the user account either doesn't have access to the folder/file, or something else prevented the user from accessing the folder/file.
Now, specifics, again from bottom-up.
The 529 is on this machine NT111B. Is this a IIS web server? It looks like it is (based off a few things in the error messages). The "Advapi" logon process has this rather cryptic definition: " Advapi (triggered by a call to LogonUser; LogonUser calls LsaLogonUser, and one of the arguments to LsaLogonUser, OriginName, identifies the origin of the logon attempt)." That came from this Technet article:
http://support.microsoft.com/?kbid=326985
A description on a JSI.com page states that :
"advapi"
API call to LogonUser
This is all logon/authentication functionality that, from what I have read in several places, is used by IIS for basic authentication (clear text). This is different from a user logging into a workstation (that runs under Winlogon). This is just another type of logon/authentication, but it is used with IIS and Exchange. Ok.
I bet you have a bunch of 529 errors, all like this, right?
Next, the 681. This tells you that the user account "service_password=" has reached the lockout threshold and is no longer available for use. There is probably just 1 of these errors. The lockout occurred FROM the machinename NT111B (this web server). So, it is from this web server that it locked out the account name listed above. This is where the lockouts are originating. And the error code listed has this meaning: User logon with misspelled or bad user account.
So, there is no valid user account on NT111B called "service_password="
Here's an article on 681 errors:
http://support.microsoft.com/?kbid=273499
Then last, the 560 message. Looks like the IIS process user account, IUSR_NT111B, which is only valid on the IIS box itself, tried to make a call to the list of running Services on the machine (the ServicesActive object name), but this failed. I don't think the IUSR account would be able to do something like this. Well, since you have at least Failed Object Access being audited on the IIS web server, that is why you got this message.
So, the whole point to this is that yes, someone was trying to hack you, to hack your IIS process. It looks like they weren't entirely successful. I would still, at this point, examine the whole server for anything else that looks weird. Check for new files, just in case they were successful at something else. The fact that they got the IUSR account to try and query the running services is interesting, as that sounds like they were able to gain some sort of access.
Is this an NT4 machine, with the IIS Option Pack enabled? Is it up-to-date on patches?
But yes, someone was definately attacking it.
from here:
if you feel the same that this does look similar, included here is the asker events logs, it may pay to compare them to yours.
https://www.experts-exchange.com/questions/20903608/event-viewer-security-failure-audit.html
if you feel the same that this does look similar, included here is the asker events logs, it may pay to compare them to yours.
https://www.experts-exchange.com/questions/20903608/event-viewer-security-failure-audit.html
Thank you, would have been nice to know his outcome.
Regards Merete
Regards Merete
I have the same problem now and don't know how to fix it.
I have had the same issue where a staff members account would lock up after 5-10mins. (Account locked out in active dir)
We found out that it was an old Nokia Mobile which was turned on and given to another member of staff as a loan phone. This phone (e class) had Mail 4 exchange on it and with the SIM inserted was trying to sync with the mail account on the exchange server and with an old password was locking the account out.
Hope this helps anybody else.
Cheers
We found out that it was an old Nokia Mobile which was turned on and given to another member of staff as a loan phone. This phone (e class) had Mail 4 exchange on it and with the SIM inserted was trying to sync with the mail account on the exchange server and with an old password was locking the account out.
Hope this helps anybody else.
Cheers
psloggedon.exe!!! Great tool for this kind of issue
that should narrow it down
Cheers
Clint