?
Solved

User account locked out of Active directory occasionally

Posted on 2008-01-25
4
Medium Priority
?
1,483 Views
Last Modified: 2008-05-30
I have a 50 user AD domain running in Native 2000 mode. Every so often, one of my users (a domain admin account actually) gets locked out and has to have the account reset before logging in again. I'm pretty certain that it's not someone maliciooulsy trying to get in using his login, but I can't find out why it's happenning.
I have a suspicion that there may be a service running somewhere as the user rather than System or Network, etc. but I have no way of finding if this is the fact.
Can someone help me to troubleshoot this? Is there any way to find services running under this account name in the domain?

Madrilleno
0
Comment
Question by:Madrilleno
  • 2
  • 2
4 Comments
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 1500 total points
ID: 20741408
Hi Madrilleno,

Check if there is a drive mapping for this user, or scheduled task or service running under his credentials. Check security log to find out from which computer wrong credentials are being sent.

Download Account Lockout and Managment tools, http://www.microsoft.com/Downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en
ALTools will help you to identify process which is using bad credentials.

HTH

Toni
0
 

Author Comment

by:Madrilleno
ID: 20741447
The account has generated the following errors on a DC

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      676
Date:            25/01/2008
Time:            10:02:36
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER03
Description:
Authentication Ticket Request Failed:
       User Name:      asimth
       Supplied Realm Name:      SPDF
       Service Name:      krbtgt/SPDF
       Ticket Options:      0x40810010
       Failure Code:      0x12
       Client Address:      10.0.0.7
 
0
 

Author Comment

by:Madrilleno
ID: 20741520
This may have been related to a stored password on the user's machine. I have deleted these and will monitor for the error returning.

Toniur: I'm going to give you the points just for the link, these utilities pointed me in the direction of the solution I am trying.
0
 
LVL 31

Expert Comment

by:Toni Uranjek
ID: 20741528
I would suggest that you check computer with IP: 10.0.0.7 or install ALockout.dll from ALTools on this computer.

Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.

Event 676 tells you that asmith is probably already locked out.

Failure Code: 0x12 - Account disabled, expired, or locked out.

Do you have any 675 events in your security log?
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

600 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question