Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

random windows lockout

Posted on 2008-06-10
6
Medium Priority
?
16,820 Views
Last Modified: 2013-12-04
We are experiencing random AD account lockouts on certain user accounts major system changes DC upgrades domain split new firewall etc etc making diagnistics difficult to say the least. I have checked scheduled tasks that may be running and can find nothing obvious. can someone help and point me in the right direction for further investigation. I believe it too be an authentiction issue with kerboros tickets, any help appreciated. Thanks
0
Comment
Question by:maadoit
6 Comments
 
LVL 4

Assisted Solution

by:Dovinshka
Dovinshka earned 225 total points
ID: 21749451
For one, you should be checking your security event logs for all failure entries. Have you set auditing for such events? I would suggest doing so and then you will have a far easier chance to identify the root casues of your account lockouts.

Funnily enough, there are some tools out there that accomplish that in an easier fashion. I cannot speak for them as I haven't tried the product, but have a look at this - http://www.downloadjunction.com/product/software/128805/index.html

Dov.
0
 
LVL 31

Accepted Solution

by:
Toni Uranjek earned 375 total points
ID: 21749710
Hi!

Usually the problem is scheduled task or service runnig with old credentials. Check those first, if you don't find anything, download and install ALTools, from:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
This tools can help you find process that is sending wrong credentials, after you find workstation name in security log.

HTH

Toni
0
 
LVL 13

Assisted Solution

by:strongline
strongline earned 150 total points
ID: 21750958
account locked is ONLY caused by bad password attempts, nothing else. So don't even worry about DC updates, firewall changes etc etc.

First thing make sure you are auditing account logon events, then search thru your security log on DCs - you can't accomplish this manually - a must have tool is eventCombMT.exe that is inlcuded in the link that toniur posted.

Once you find out which machine is sending the bad password, check why bad password is being sent from that client by looking the following (this is not a complete list but should cover 99% cases):

- mapped drive
- scheduled tasks
- stored password (windows XP and up)
- orphaned RDP session (disconnected but not logged off)
- wrong credential in services.msc
- hard coded password in scripts

0
New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

 

Author Comment

by:maadoit
ID: 21751687


Thanks all for your assistance with this matter

after installing the Alockout ( part of the MS Acount Lockout tools ) mentioned earlier i think i have found the process that was causing the lock out of the AD account
0
 

Expert Comment

by:ahmedla1
ID: 33324176
I have similar problem. Found the worstation name but how to check further:

675,AUDIT FAILURE,Security,Fri Jul 30 10:51:22 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:56 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:31:52 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  08114     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1138}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.142    Host Name: ldnws10-142.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:19:11 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  14036     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1122}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.175    Host Name: hp12269971822.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 10:08:17 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  19552     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-1145}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.148    Host Name: ldnws10-148.ldn.ddad.com
675,AUDIT FAILURE,Security,Fri Jul 30 09:00:47 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name:  Vijya     User ID:  %{S-1-5-21-1863649858-2034932966-2828749719-2715}     Service Name:  krbtgt/LDN-ddAD     Pre-Authentication Type: 0x2     Failure Code:  0x18     Client Address:  10.80.10.112    Host Name: ddad-f60584b575.ldn.nbad.com
c:\temp\LDNDC04-Security_LOG.txt contains 6 parsed events.
0

Featured Post

Cyber Threats to Small Businesses (Part 2)

The evolving cybersecurity landscape presents SMBs with a host of new threats to their clients, their data, and their bottom line. In part 2 of this blog series, learn three quick processes Webroot’s CISO, Gary Hayslip, recommends to help small businesses beat modern threats.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

972 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question