Solved

random windows lockout

Posted on 2008-06-10
6
16,766 Views
Last Modified: 2013-12-04
We are experiencing random AD account lockouts on certain user accounts major system changes DC upgrades domain split new firewall etc etc making diagnistics difficult to say the least. I have checked scheduled tasks that may be running and can find nothing obvious. can someone help and point me in the right direction for further investigation. I believe it too be an authentiction issue with kerboros tickets, any help appreciated. Thanks
0
Comment
Question by:maadoit
6 Comments
 
LVL 4

Assisted Solution

by:Dovinshka
Dovinshka earned 75 total points
Comment Utility
For one, you should be checking your security event logs for all failure entries. Have you set auditing for such events? I would suggest doing so and then you will have a far easier chance to identify the root casues of your account lockouts.

Funnily enough, there are some tools out there that accomplish that in an easier fashion. I cannot speak for them as I haven't tried the product, but have a look at this - http://www.downloadjunction.com/product/software/128805/index.html

Dov.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 125 total points
Comment Utility
Hi!

Usually the problem is scheduled task or service runnig with old credentials. Check those first, if you don't find anything, download and install ALTools, from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
This tools can help you find process that is sending wrong credentials, after you find workstation name in security log.

HTH

Toni
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 50 total points
Comment Utility
account locked is ONLY caused by bad password attempts, nothing else. So don't even worry about DC updates, firewall changes etc etc.

First thing make sure you are auditing account logon events, then search thru your security log on DCs - you can't accomplish this manually - a must have tool is eventCombMT.exe that is inlcuded in the link that toniur posted.

Once you find out which machine is sending the bad password, check why bad password is being sent from that client by looking the following (this is not a complete list but should cover 99% cases):

- mapped drive
- scheduled tasks
- stored password (windows XP and up)
- orphaned RDP session (disconnected but not logged off)
- wrong credential in services.msc
- hard coded password in scripts

0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 

Author Comment

by:maadoit
Comment Utility


Thanks all for your assistance with this matter

after installing the Alockout ( part of the MS Acount Lockout tools ) mentioned earlier i think i have found the process that was causing the lock out of the AD account
0
 

Expert Comment

by:cyberlinksupport
Comment Utility
0
 

Expert Comment

by:ahmedla1
Comment Utility
I have similar problem. Found the worstation name but how to check further:

675,AUDIT FAILURE,Security,Fri Jul 30 10:51:22 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:56 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:52 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:19:11 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:08:17 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  19552     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1145}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.148    Host Name: ldnws10-148.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 09:00:47 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  Vijya     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-2715}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.112    Host Name: ddad-f60584b575.ldn.nbad.com
c:\temp\LDNDC04-Security_LOG.txt contains 6 parsed events.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Suggested Solutions

In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now