We help IT Professionals succeed at work.

User account locked out of Active directory occasionally

Madrilleno
Madrilleno asked
on
Medium Priority
1,490 Views
Last Modified: 2008-05-30
I have a 50 user AD domain running in Native 2000 mode. Every so often, one of my users (a domain admin account actually) gets locked out and has to have the account reset before logging in again. I'm pretty certain that it's not someone maliciooulsy trying to get in using his login, but I can't find out why it's happenning.
I have a suspicion that there may be a service running somewhere as the user rather than System or Network, etc. but I have no way of finding if this is the fact.
Can someone help me to troubleshoot this? Is there any way to find services running under this account name in the domain?

Madrilleno
Comment
Watch Question

Consultant/Trainer
Commented:
Hi Madrilleno,

Check if there is a drive mapping for this user, or scheduled task or service running under his credentials. Check security log to find out from which computer wrong credentials are being sent.

Download Account Lockout and Managment tools, http://www.microsoft.com/Downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en
ALTools will help you to identify process which is using bad credentials.

HTH

Toni

Author

Commented:
The account has generated the following errors on a DC

Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      676
Date:            25/01/2008
Time:            10:02:36
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER03
Description:
Authentication Ticket Request Failed:
       User Name:      asimth
       Supplied Realm Name:      SPDF
       Service Name:      krbtgt/SPDF
       Ticket Options:      0x40810010
       Failure Code:      0x12
       Client Address:      10.0.0.7
 

Author

Commented:
This may have been related to a stored password on the user's machine. I have deleted these and will monitor for the error returning.

Toniur: I'm going to give you the points just for the link, these utilities pointed me in the direction of the solution I am trying.
Toni UranjekConsultant/Trainer

Commented:
I would suggest that you check computer with IP: 10.0.0.7 or install ALockout.dll from ALTools on this computer.

Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.

Event 676 tells you that asmith is probably already locked out.

Failure Code: 0x12 - Account disabled, expired, or locked out.

Do you have any 675 events in your security log?

Explore More ContentExplore courses, solutions, and other research materials related to this topic.