Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

random windows lockout

Posted on 2008-06-10
6
Medium Priority
?
16,813 Views
Last Modified: 2013-12-04
We are experiencing random AD account lockouts on certain user accounts major system changes DC upgrades domain split new firewall etc etc making diagnistics difficult to say the least. I have checked scheduled tasks that may be running and can find nothing obvious. can someone help and point me in the right direction for further investigation. I believe it too be an authentiction issue with kerboros tickets, any help appreciated. Thanks
0
Comment
Question by:maadoit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 4

Assisted Solution

by:Dovinshka
Dovinshka earned 225 total points
ID: 21749451
For one, you should be checking your security event logs for all failure entries. Have you set auditing for such events? I would suggest doing so and then you will have a far easier chance to identify the root casues of your account lockouts.

Funnily enough, there are some tools out there that accomplish that in an easier fashion. I cannot speak for them as I haven't tried the product, but have a look at this - http://www.downloadjunction.com/product/software/128805/index.html

Dov.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 375 total points
ID: 21749710
Hi!

Usually the problem is scheduled task or service runnig with old credentials. Check those first, if you don't find anything, download and install ALTools, from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
This tools can help you find process that is sending wrong credentials, after you find workstation name in security log.

HTH

Toni
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 150 total points
ID: 21750958
account locked is ONLY caused by bad password attempts, nothing else. So don't even worry about DC updates, firewall changes etc etc.

First thing make sure you are auditing account logon events, then search thru your security log on DCs - you can't accomplish this manually - a must have tool is eventCombMT.exe that is inlcuded in the link that toniur posted.

Once you find out which machine is sending the bad password, check why bad password is being sent from that client by looking the following (this is not a complete list but should cover 99% cases):

- mapped drive
- scheduled tasks
- stored password (windows XP and up)
- orphaned RDP session (disconnected but not logged off)
- wrong credential in services.msc
- hard coded password in scripts

0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:maadoit
ID: 21751687


Thanks all for your assistance with this matter

after installing the Alockout ( part of the MS Acount Lockout tools ) mentioned earlier i think i have found the process that was causing the lock out of the AD account
0
 

Expert Comment

by:ahmedla1
ID: 33324176
I have similar problem. Found the worstation name but how to check further:

675,AUDIT FAILURE,Security,Fri Jul 30 10:51:22 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:56 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:52 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:19:11 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:08:17 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  19552     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1145}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.148    Host Name: ldnws10-148.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 09:00:47 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  Vijya     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-2715}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.112    Host Name: ddad-f60584b575.ldn.nbad.com
c:\temp\LDNDC04-Security_LOG.txt contains 6 parsed events.
0

Featured Post

Introducing the WatchGuard 420 Access Point

WatchGuard's newest access point includes an 802.11ac Wave 2 chipset, providing the fastest speeds for VoIP, video and music streaming, and large data file transfers. Additionally, enjoy the benefits of strong security as the 3rd radio delivers dedicated WIPS protection!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question