User account locked out of Active directory occasionally

I have a 50 user AD domain running in Native 2000 mode. Every so often, one of my users (a domain admin account actually) gets locked out and has to have the account reset before logging in again. I'm pretty certain that it's not someone maliciooulsy trying to get in using his login, but I can't find out why it's happenning.
I have a suspicion that there may be a service running somewhere as the user rather than System or Network, etc. but I have no way of finding if this is the fact.
Can someone help me to troubleshoot this? Is there any way to find services running under this account name in the domain?

Madrilleno
MadrillenoAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Toni UranjekConsultant/TrainerCommented:
Hi Madrilleno,

Check if there is a drive mapping for this user, or scheduled task or service running under his credentials. Check security log to find out from which computer wrong credentials are being sent.

Download Account Lockout and Managment tools, http://www.microsoft.com/Downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en
ALTools will help you to identify process which is using bad credentials.

HTH

Toni
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
MadrillenoAuthor Commented:
The account has generated the following errors on a DC

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      676
Date:            25/01/2008
Time:            10:02:36
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER03
Description:
Authentication Ticket Request Failed:
       User Name:      asimth
       Supplied Realm Name:      SPDF
       Service Name:      krbtgt/SPDF
       Ticket Options:      0x40810010
       Failure Code:      0x12
       Client Address:      10.0.0.7
 
0
MadrillenoAuthor Commented:
This may have been related to a stored password on the user's machine. I have deleted these and will monitor for the error returning.

Toniur: I'm going to give you the points just for the link, these utilities pointed me in the direction of the solution I am trying.
0
Toni UranjekConsultant/TrainerCommented:
I would suggest that you check computer with IP: 10.0.0.7 or install ALockout.dll from ALTools on this computer.

Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.

Event 676 tells you that asmith is probably already locked out.

Failure Code: 0x12 - Account disabled, expired, or locked out.

Do you have any 675 events in your security log?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.