LAN Credentials repeatedly lock out

Posted on 2007-10-08
Last Modified: 2008-11-17
LAN Credentials repeatedly lock out
Question by:4017817245
    LVL 13

    Accepted Solution


    I find I just use EventCombMT.exe pretty much exclusively. Basically, it searches the security event logs of your domain controllers (or any machines you specify) to determine from which machine the creds are being locked. There are canned searches too, or you can customize to look for specific event ids containing specific text.
    LVL 4

    Assisted Solution

    if it is tied to a user am betting you have either
    1) an old mapped drive somewhere
    2) a service set running

    that are using old credentials that keeps trying to connect at login/startup.

    Checked your mapped drives - delete and recreate and/or reset the password on each. in case of service running just reset the password.

    typically happens as a support person running around fixing issues and forgetting to drop a temp mapped drive and/or setting a service to run with user credentials
    LVL 13

    Expert Comment

    Those would definitely be some things to check once you've identified from which machine the invalid credentials are coming. For us, it was not a service logged in with user creds, but a service that was using its own stored creds to contact its server (McAfee Framework service, to be exact).

    Another culprit could be windows' saved passwords. In XP, Control Panel / User Accounts / Advanced / Manage Passwords.

    But first you gotta figure out which machine. Using EventCombMT, search all your DCs' security logs for failure audits containing event 680. Put the user name that keeps getting locked out in the "Text:" field. After the search, look in the resulting txt files (start with the largest one) for error 0xC000006A; there should be a number of them corresponding to your domain's lockout policy. Each one of those lines will list a workstation; that will be the one that is sending the wrong password and locking out the account. The other lines listing error code 0xC0000234 are where machines/users tried to access the account after it was locked out.

    LVL 5

    Assisted Solution

    Another possibility: do you use Remote Desktop/Terminal Services?  

    If you/someone left the account in question logged into a Remote Desktop session and then changed the password on the account, then the remote session would keep passing the old credentials with the old password, effectively locking out the account.  

    All of the scenarios above are also possible.

    The tool that I use to troubleshoot these types of problems is lockoutstatus.exe:

    Hope this helps!

    Featured Post

    How to improve team productivity

    Quip adds documents, spreadsheets, and tasklists to your Slack experience
    - Elevate ideas to Quip docs
    - Share Quip docs in Slack
    - Get notified of changes to your docs
    - Available on iOS/Android/Desktop/Web
    - Online/Offline

    Join & Write a Comment

    I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
    There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
    Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
    In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor ( If you're interested in additional methods for monitoring bandwidt…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now