SBS Domain user logon failing repeatedly causing account lockout

Our primary domain controller is Windows Small Business Server 2003. We have a user whose account is frequently getting locked out. When I look in our Domain Controller's event log I see the following two security events occuring every 10 seconds like clockwork:

Event 680, Account Logon.
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      USERNAME (of the user that keeps getting locked out)
 Source Workstation:      OURDOMAINCONTROLLER (The name of this machine, our primary DC)
 Error Code:      0xC000006A

Event 529, Logon/Logoff
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:                            USERNAME (same username, the one getting locked out.)
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      OURDOMAINCONTROLLER
       Caller User Name:      OURDOMAINCONTROLLER$
       Caller Domain:      OURDOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5268                (note: this is the process ID for store.exe)
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -

After enough of these failed logins, apparently the account gets locked out. The process ID above leads me to believe this is somehow related to Exchange (store.exe). Here is what we have tried so far:

-We have completely turned off the user's machine and disconnected it from the network.
-We have had the user sit at the DC console and explicity set their password in active directory.
-The user does not work remotely or use any mobile devices to authenticate to our domain.
-We have restarted the Exchange services on our Domain Controller / Exchange Server
-We have completely rebooted the Domain Controller / Exchange Server.

Any further ideas what could be causing this?

Thank you,
Ben
LVL 1
benbeckerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

benbeckerAuthor Commented:
Thanks for the links, I checked them both out, but I don't think they apply necessarily. The user is logged into our domain on her Windows XP Pro client machine, so there should be no issue with unknown or untrusted domain. The second link had a lot of good information about lockout policies in general, but I did not see anything that would explain this behavior.

As mentioned above, the "Source workstation" in the event log error is the Domain Controller itself, and furthermore the failed logins continue, at 10 second intervals, even when the client machine is completely disconnected and powered off. So whatever is repeatedly attempting this bad authentication seems to be on the Domain Controller machine itself.
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Please see my answer in this Question for the solution to your issue:  http:Q_22471975.html


Jeff
TechSoEasy
0
Introducing Cloud Class® training courses

Tech changes fast. You can learn faster. That’s why we’re bringing professional training courses to Experts Exchange. With a subscription, you can access all the Cloud Class® courses to expand your education, prep for certifications, and get top-notch instructions.

benbeckerAuthor Commented:
TechSoEasy, thanks for the suggestion. We followed the instructions from the article: http://support.microsoft.com/?id=325850

We stopped and disabled the Kerberos Key Distribution Center service on our primary domain controller, and then rebooted. Upon rebooting, ran the command:
netdom resetpwd /s:server /ud:domain\User /pd:*

It prompts for the user password, which we enter and then get this message:
"The machine account password for the local machine could not be reset.
Multiple connections to a server or shared resource by the same user, using more than one user name, are not allowed. Disconnect all previous connections to the server or shared resource and try again.
The command failed to complete successfully"

Any further ideas?

Thanks
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Setting the KDC to "disabled" is not what the article instructs you to do.  You need to set it to Manual.

Furthermore, you should be logging in using the Built-in Administrator Account for this task and be sure that there are no shared drive mappings currently configured on the server.

Jeff
TechSoEasy
0
benbeckerAuthor Commented:
Sorry, typo in haste there, we did set it to Manual.

I can try those other two things. Also, does it matter that we have a secondary domain controller that is also running. Do we need to do anything on that machine as well?
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Yeah, it most certainly does matter.  Read that KB article on how to simultaneously reset the password on multiple DC's.  (ie, netdom resetpwd /s:server2 /ud:mydomain\administrator /pd:*)

Jeff
TechSoEasy
0
beckerbenCommented:
So where do you run this command, server1 or server2 or both?  Does the kerberos server need to be shutdown on both of them?
0
benbeckerAuthor Commented:
Jeff, We're still unclear after reading the article.  Are we issuing this command on DC1 to update DC2 or do we shutdown DC2, then issue this command on DC1?  Please advise.  if both of them need to be re-synced using net dom, do we issue them for each DC?
0
Jeffrey Kane - TechSoEasyPrincipal ConsultantCommented:
Sorry, I must have missed your last reply since it was so long after the initial issue.

If you have not yet resolved this...  the command would be run on DC1, with DC2 running.  However, if there are mapped drives configured on that server you need to disconnect them.  (as well as any other mapped drives on any other machines in your network which have been shared using the same user account -- most likely the Administrator account -- that's what's meant by "disconnect all previous...")

If you have login scripts that map drives using the Administrator account's credentials, that's a pretty bad practice.

Jeff
TechSoEasy
0
benbeckerAuthor Commented:
we ended up removing the user, deleting the exchange mailbox and adding the user back, however the problem dissappeared for about 20 minutes, and then it was back, invalid login attempts for this user.  We were able to run these procedures here as well and they did not work.  so we ended up just removing this user from the system, coming oup with a different username for them and the problem is solved, not necessarily in the ideal way, but we already vested way more time in this than we should have. thank you for your assistance.
0
AnnieModCommented:
PAQed with points refunded (500)

AnnieMod
Cleanup Admin
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Logic Managed ITSystems AdministrationCommented:
Just researched and tested: Failed POP3 logins on SBS2003 will generate this error!!!

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      529
Date:            1/22/2009
Time:            3:33:57 PM
User:            NT AUTHORITY\SYSTEM
Computer:      SBS2003
Description:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      administrator
       Domain:            
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SBS2003
       Caller User Name:      SBS2003$
       Caller Domain:      N*****K
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID:      5036 (store.exe)
       Transited Services:      -
       Source Network Address:      -
       Source Port:      -
0
zequestionerCommented:
We are having the same problem here with multiple users. Accounts randomly lock out. We have reset the passwords, made sure no drives were mapped locally, and made sure no services were running anywhere under these users' credentials. It seems to happen every other day or so. Help?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.