LAN Credentials repeatedly lock out

LAN Credentials repeatedly lock out
Who is Participating?
Yancey LandrumTechnical Team LeadCommented:

I find I just use EventCombMT.exe pretty much exclusively. Basically, it searches the security event logs of your domain controllers (or any machines you specify) to determine from which machine the creds are being locked. There are canned searches too, or you can customize to look for specific event ids containing specific text.
if it is tied to a user am betting you have either
1) an old mapped drive somewhere
2) a service set running

that are using old credentials that keeps trying to connect at login/startup.

Checked your mapped drives - delete and recreate and/or reset the password on each. in case of service running just reset the password.

typically happens as a support person running around fixing issues and forgetting to drop a temp mapped drive and/or setting a service to run with user credentials
Yancey LandrumTechnical Team LeadCommented:
Those would definitely be some things to check once you've identified from which machine the invalid credentials are coming. For us, it was not a service logged in with user creds, but a service that was using its own stored creds to contact its server (McAfee Framework service, to be exact).

Another culprit could be windows' saved passwords. In XP, Control Panel / User Accounts / Advanced / Manage Passwords.

But first you gotta figure out which machine. Using EventCombMT, search all your DCs' security logs for failure audits containing event 680. Put the user name that keeps getting locked out in the "Text:" field. After the search, look in the resulting txt files (start with the largest one) for error 0xC000006A; there should be a number of them corresponding to your domain's lockout policy. Each one of those lines will list a workstation; that will be the one that is sending the wrong password and locking out the account. The other lines listing error code 0xC0000234 are where machines/users tried to access the account after it was locked out.

Another possibility: do you use Remote Desktop/Terminal Services?  

If you/someone left the account in question logged into a Remote Desktop session and then changed the password on the account, then the remote session would keep passing the old credentials with the old password, effectively locking out the account.  

All of the scenarios above are also possible.

The tool that I use to troubleshoot these types of problems is lockoutstatus.exe:

Hope this helps!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.