Solved

random windows lockout

Posted on 2008-06-10
6
16,777 Views
Last Modified: 2013-12-04
We are experiencing random AD account lockouts on certain user accounts major system changes DC upgrades domain split new firewall etc etc making diagnistics difficult to say the least. I have checked scheduled tasks that may be running and can find nothing obvious. can someone help and point me in the right direction for further investigation. I believe it too be an authentiction issue with kerboros tickets, any help appreciated. Thanks
0
Comment
Question by:maadoit
6 Comments
 
LVL 4

Assisted Solution

by:Dovinshka
Dovinshka earned 75 total points
ID: 21749451
For one, you should be checking your security event logs for all failure entries. Have you set auditing for such events? I would suggest doing so and then you will have a far easier chance to identify the root casues of your account lockouts.

Funnily enough, there are some tools out there that accomplish that in an easier fashion. I cannot speak for them as I haven't tried the product, but have a look at this - http://www.downloadjunction.com/product/software/128805/index.html

Dov.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 125 total points
ID: 21749710
Hi!

Usually the problem is scheduled task or service runnig with old credentials. Check those first, if you don't find anything, download and install ALTools, from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
This tools can help you find process that is sending wrong credentials, after you find workstation name in security log.

HTH

Toni
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 50 total points
ID: 21750958
account locked is ONLY caused by bad password attempts, nothing else. So don't even worry about DC updates, firewall changes etc etc.

First thing make sure you are auditing account logon events, then search thru your security log on DCs - you can't accomplish this manually - a must have tool is eventCombMT.exe that is inlcuded in the link that toniur posted.

Once you find out which machine is sending the bad password, check why bad password is being sent from that client by looking the following (this is not a complete list but should cover 99% cases):

- mapped drive
- scheduled tasks
- stored password (windows XP and up)
- orphaned RDP session (disconnected but not logged off)
- wrong credential in services.msc
- hard coded password in scripts

0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 

Author Comment

by:maadoit
ID: 21751687


Thanks all for your assistance with this matter

after installing the Alockout ( part of the MS Acount Lockout tools ) mentioned earlier i think i have found the process that was causing the lock out of the AD account
0
 

Expert Comment

by:cyberlinksupport
ID: 24959664
0
 

Expert Comment

by:ahmedla1
ID: 33324176
I have similar problem. Found the worstation name but how to check further:

675,AUDIT FAILURE,Security,Fri Jul 30 10:51:22 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:56 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:52 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:19:11 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:08:17 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  19552     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1145}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.148    Host Name: ldnws10-148.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 09:00:47 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  Vijya     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-2715}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.112    Host Name: ddad-f60584b575.ldn.nbad.com
c:\temp\LDNDC04-Security_LOG.txt contains 6 parsed events.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question