Solved

random windows lockout

Posted on 2008-06-10
6
16,803 Views
Last Modified: 2013-12-04
We are experiencing random AD account lockouts on certain user accounts major system changes DC upgrades domain split new firewall etc etc making diagnistics difficult to say the least. I have checked scheduled tasks that may be running and can find nothing obvious. can someone help and point me in the right direction for further investigation. I believe it too be an authentiction issue with kerboros tickets, any help appreciated. Thanks
0
Comment
Question by:maadoit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 4

Assisted Solution

by:Dovinshka
Dovinshka earned 75 total points
ID: 21749451
For one, you should be checking your security event logs for all failure entries. Have you set auditing for such events? I would suggest doing so and then you will have a far easier chance to identify the root casues of your account lockouts.

Funnily enough, there are some tools out there that accomplish that in an easier fashion. I cannot speak for them as I haven't tried the product, but have a look at this - http://www.downloadjunction.com/product/software/128805/index.html

Dov.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 125 total points
ID: 21749710
Hi!

Usually the problem is scheduled task or service runnig with old credentials. Check those first, if you don't find anything, download and install ALTools, from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
This tools can help you find process that is sending wrong credentials, after you find workstation name in security log.

HTH

Toni
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 50 total points
ID: 21750958
account locked is ONLY caused by bad password attempts, nothing else. So don't even worry about DC updates, firewall changes etc etc.

First thing make sure you are auditing account logon events, then search thru your security log on DCs - you can't accomplish this manually - a must have tool is eventCombMT.exe that is inlcuded in the link that toniur posted.

Once you find out which machine is sending the bad password, check why bad password is being sent from that client by looking the following (this is not a complete list but should cover 99% cases):

- mapped drive
- scheduled tasks
- stored password (windows XP and up)
- orphaned RDP session (disconnected but not logged off)
- wrong credential in services.msc
- hard coded password in scripts

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:maadoit
ID: 21751687


Thanks all for your assistance with this matter

after installing the Alockout ( part of the MS Acount Lockout tools ) mentioned earlier i think i have found the process that was causing the lock out of the AD account
0
 

Expert Comment

by:ahmedla1
ID: 33324176
I have similar problem. Found the worstation name but how to check further:

675,AUDIT FAILURE,Security,Fri Jul 30 10:51:22 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:56 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:52 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:19:11 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:08:17 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  19552     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1145}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.148    Host Name: ldnws10-148.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 09:00:47 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  Vijya     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-2715}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.112    Host Name: ddad-f60584b575.ldn.nbad.com
c:\temp\LDNDC04-Security_LOG.txt contains 6 parsed events.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question