Solved

Active Directory Account Lockouts for one user only

Posted on 2008-06-12
7
2,362 Views
Last Modified: 2013-12-02
I have a user who continually gets his account locked out in Active Directory.
I know it is not the policy as we have the default domain policy applying to all users including him.
I know it is not his machine as we junked his old one and replaced it with a new thinkpad t60
However it happens multiple times aday and he only has 2 drives mapped which all uses get as
part of the logon script.  

Any help would be appreciated.  I ran the lockoutstatus and below is the alockout.txt file log
Wed Jun 11 07:41:17 2008, PID:  3996, Thread:  3312, Image C:\WINDOWS\system32\NOTEPAD.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:41:27 2008, PID:  3748, Thread:  3512, Image C:\WINDOWS\system32\NOTEPAD.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:41:30 2008, PID:  3992, Thread:  1620, Image C:\WINDOWS\system32\NOTEPAD.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:41:33 2008, PID:  3992, Thread:  1620, Image C:\WINDOWS\system32\NOTEPAD.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:41:41 2008, PID:  4020, Thread:  2836, Image C:\Program Files\Microsoft Office\Office\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:42:05 2008, PID:   332, Thread:  2780, Image C:\WINDOWS\system32\dumprep.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:42:12 2008, PID:   748, Thread:   584, Image C:\WINDOWS\system32\dwwin.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:42:25 2008, PID:   748, Thread:   584, Image C:\WINDOWS\system32\dwwin.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:42:25 2008, PID:   332, Thread:  2780, Image C:\WINDOWS\system32\dumprep.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:42:29 2008, PID:  3340, Thread:   448, Image C:\WINDOWS\system32\NOTEPAD.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:42:46 2008, PID:  3340, Thread:   448, Image C:\WINDOWS\system32\NOTEPAD.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:44:40 2008, PID:  2612, Thread:  1828, Image C:\Program Files\DameWare Development\DameWare Mini Remote Control\dwrtde.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:44:44 2008, PID:  2612, Thread:  1828, Image C:\Program Files\DameWare Development\DameWare Mini Remote Control\dwrtde.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:45:34 2008, PID:  4084, Thread:  3988, Image C:\WINDOWS\system32\wuauclt.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:48:54 2008, PID:  2844, Thread:  2320, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:49:01 2008, PID:  2844, Thread:  2320, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 07:55:32 2008, PID:  2440, Thread:  3588, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:58:55 2008, PID:  3444, Thread:   956, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 07:59:02 2008, PID:  3444, Thread:   956, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:08:56 2008, PID:  3820, Thread:  3068, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:09:02 2008, PID:  3820, Thread:  3068, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:12:39 2008, PID:  2440, Thread:  3588, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:13:15 2008, PID:  3568, Thread:  2200, Image C:\Program Files\Microsoft Office\Office\WINWORD.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:15:12 2008, PID:  2916, Thread:   604, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:15:12 2008, PID:  2812, Thread:  3432, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:15:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 08:15:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,* Service Failure - See System Log for Details (ID: 7000) *
Wed Jun 11 08:15:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 08:15:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,***StartServiceW Failed!*** (0), Service: Service: Remote Access Auto Connection Manager (C:\WINDOWS\system32\svchost.exe -k netsvcs), RC was: The operation completed successfully.   (0), GLE was: An instance of the service is already running.   (1056)
Wed Jun 11 08:18:56 2008, PID:  3048, Thread:  3972, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:19:03 2008, PID:  3048, Thread:  3972, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:22:15 2008, PID:  2464, Thread:  3020, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:23:59 2008, PID:  2464, Thread:  3020, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:24:02 2008, PID:  3568, Thread:  2200, Image C:\Program Files\Microsoft Office\Office\WINWORD.EXE,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:28:57 2008, PID:  4056, Thread:  2436, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:29:04 2008, PID:  4056, Thread:  2436, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:38:58 2008, PID:   588, Thread:  1324, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:39:04 2008, PID:   588, Thread:  1324, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:48:58 2008, PID:  1496, Thread:  3704, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:49:05 2008, PID:  1496, Thread:  3704, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 08:58:59 2008, PID:  3196, Thread:  2440, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 08:59:06 2008, PID:  3196, Thread:  2440, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 09:09:00 2008, PID:   656, Thread:  1252, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:09:06 2008, PID:   656, Thread:  1252, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 09:09:49 2008, PID:  2920, Thread:  3272, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:19:00 2008, PID:  1648, Thread:  1672, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:19:07 2008, PID:  1648, Thread:  1672, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 09:29:01 2008, PID:   488, Thread:   452, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:29:07 2008, PID:   488, Thread:   452, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 09:39:01 2008, PID:  3512, Thread:  2120, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:39:08 2008, PID:  3512, Thread:  2120, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 09:45:06 2008, PID:  2920, Thread:  3272, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 09:49:02 2008, PID:  4060, Thread:  2080, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:49:08 2008, PID:  4060, Thread:  2080, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 09:53:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 09:53:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,* Service Failure - See System Log for Details (ID: 7000) *
Wed Jun 11 09:53:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 09:53:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,***StartServiceW Failed!*** (0), Service: Service: Remote Access Auto Connection Manager (C:\WINDOWS\system32\svchost.exe -k netsvcs), RC was: The operation completed successfully.   (0), GLE was: An instance of the service is already running.   (1056)
Wed Jun 11 09:56:12 2008, PID:  2968, Thread:   884, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:56:12 2008, PID:  3884, Thread:  1252, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:59:03 2008, PID:  3300, Thread:  3516, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 09:59:09 2008, PID:  3300, Thread:  3516, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:09:03 2008, PID:  2344, Thread:  3272, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:09:21 2008, PID:  2344, Thread:  3272, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:19:10 2008, PID:  3932, Thread:  3588, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:19:19 2008, PID:  3932, Thread:  3588, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:21:11 2008, PID:  2108, Thread:  2920, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:21:21 2008, PID:  2108, Thread:  2920, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:29:13 2008, PID:  3928, Thread:   504, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:29:21 2008, PID:  3928, Thread:   504, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:39:15 2008, PID:  1428, Thread:   360, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:39:24 2008, PID:  1428, Thread:   360, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:42:39 2008, PID:  3064, Thread:  1556, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:44:29 2008, PID:  3064, Thread:  1556, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:49:18 2008, PID:  2808, Thread:  3392, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:49:27 2008, PID:  2808, Thread:  3392, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:50:58 2008, PID:  3988, Thread:  2668, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:56:28 2008, PID:  3988, Thread:  2668, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 10:59:21 2008, PID:  3308, Thread:  3372, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 10:59:29 2008, PID:  3308, Thread:  3372, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:08:08 2008, PID:  1120, Thread:  2256, Image ping,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:08:08 2008, PID:  1120, Thread:  2256, Image ping,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:08:17 2008, PID:  2972, Thread:  2940, Image ping,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:08:20 2008, PID:  2972, Thread:  2940, Image ping,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:08:30 2008, PID:  2520, Thread:  4084, Image ping,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:08:37 2008, PID:  2520, Thread:  4084, Image ping,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:09:23 2008, PID:  3992, Thread:  2812, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:09:32 2008, PID:  3992, Thread:  2812, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:09:58 2008, PID:  3676, Thread:  3136, Image C:\Program Files\Microsoft Office\Office\EXCEL.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:17:03 2008, PID:  3212, Thread:  3452, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:19:26 2008, PID:  1252, Thread:   932, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:19:35 2008, PID:  1252, Thread:   932, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:23:34 2008, PID:  3212, Thread:  3452, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:25:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 11:25:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,* Service Failure - See System Log for Details (ID: 7000) *
Wed Jun 11 11:25:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 11:25:49 2008, PID:   664, Thread:  1976, Image C:\WINDOWS\System32\svchost.exe,***StartServiceW Failed!*** (0), Service: Service: Remote Access Auto Connection Manager (C:\WINDOWS\system32\svchost.exe -k netsvcs), RC was: The operation completed successfully.   (0), GLE was: An instance of the service is already running.   (1056)
Wed Jun 11 11:29:12 2008, PID:  2324, Thread:  2780, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:29:12 2008, PID:  3860, Thread:  3588, Image /S,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:29:29 2008, PID:  3452, Thread:  4056, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:35:11 2008, PID:  3452, Thread:  4056, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:45:05 2008, PID:  2908, Thread:  3976, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:45:11 2008, PID:  2908, Thread:  3976, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:50:14 2008, PID:  3992, Thread:  1984, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:55:05 2008, PID:   956, Thread:  2008, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:55:12 2008, PID:   956, Thread:  2008, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 11:59:58 2008, PID:  2020, Thread:  2140, Image C:\Program Files\Lenovo\Rescue and Recovery\rrcmd.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 11:59:58 2008, PID:  3992, Thread:  1984, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:01:20 2008, PID:  2956, Thread:   448, Image C:\WINDOWS\system32\defrag.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:01:20 2008, PID:  2504, Thread:  2980, Image DfrgNtfs.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:02:10 2008, PID:  2504, Thread:  2980, Image DfrgNtfs.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:02:10 2008, PID:  2956, Thread:   448, Image C:\WINDOWS\system32\defrag.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:02:10 2008, PID:  3684, Thread:  3484, Image C:\WINDOWS\system32\defrag.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:02:10 2008, PID:  3516, Thread:  1480, Image DfrgNtfs.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:02:23 2008, PID:  3684, Thread:  3484, Image C:\WINDOWS\system32\defrag.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:02:23 2008, PID:  3516, Thread:  1480, Image DfrgNtfs.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:04:59 2008, PID:  3596, Thread:  2440, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:05:06 2008, PID:  3512, Thread:  3500, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:05:13 2008, PID:  3512, Thread:  3500, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:15:06 2008, PID:  3516, Thread:  1960, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:15:13 2008, PID:  3516, Thread:  1960, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:22:11 2008, PID:   508, Thread:  3208, Image C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:23:28 2008, PID:   508, Thread:  3208, Image C:\WINDOWS\PCHealth\HelpCtr\Binaries\HelpSvc.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:25:07 2008, PID:  2744, Thread:  2052, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:25:14 2008, PID:  2744, Thread:  2052, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:35:08 2008, PID:   400, Thread:  2612, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:35:14 2008, PID:   400, Thread:  2612, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:45:08 2008, PID:   976, Thread:  2072, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:45:15 2008, PID:   976, Thread:  2072, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 12:55:09 2008, PID:  1084, Thread:  3320, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 12:55:15 2008, PID:  1084, Thread:  3320, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 13:05:09 2008, PID:  1412, Thread:  1872, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 13:05:16 2008, PID:  1412, Thread:  1872, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 13:15:10 2008, PID:  2972, Thread:  2096, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Wed Jun 11 13:15:16 2008, PID:  2972, Thread:  2096, Image C:\Program Files\Common Files\InstallShield\UpdateService\agent.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 13:22:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 13:22:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,* Service Failure - See System Log for Details (ID: 7000) *
Wed Jun 11 13:22:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,***********************************************************
Wed Jun 11 13:22:49 2008, PID:   664, Thread:  1128, Image C:\WINDOWS\System32\svchost.exe,***StartServiceW Failed!*** (0), Service: Service: Remote Access Auto Connection Manager (C:\WINDOWS\system32\svchost.exe -k netsvcs), RC was: The operation completed successfully.   (0), GLE was: An instance of the service is already running.   (1056)
Wed Jun 11 13:23:22 2008, PID:  3596, Thread:  2440, Image C:\WINDOWS\system32\scrnsave.scr,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 13:23:25 2008, PID:  2020, Thread:  2140, Image C:\Program Files\Lenovo\Rescue and Recovery\rrcmd.exe,ALOCKOUT.DLL - dll_process_detatch
Wed Jun 11 13:23:57 2008, PID:  1316, Thread:  3884, Image C:\WINDOWS\Explorer.EXE,***WNetUseConnectionW Failed!*** (3), Local: (null), Remote: \\, Password: Password was NULL, Window Title: , RC was: The network path was not found.   (53), GLE was: The network path was not found.   (53)
Wed Jun 11 13:23:57 2008, PID:  1316, Thread:  3884, Image C:\WINDOWS\Explorer.EXE,***WNetUseConnectionW Failed!*** (4), Local: (null), Remote: \\, Password: Password was NULL, Window Title: , RC was: The network path was not found.   (53), GLE was: The network path was not found.   (53)
Wed Jun 11 13:24:55 2008, PID:  3568, Thread:  2008, Image C:\WINDOWS\system32\NOTEPAD.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH

Lockout.doc
0
Comment
Question by:bergquistcompany
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 2
7 Comments
 
LVL 13

Expert Comment

by:SagiEDoc
ID: 21770804
Try exclude him from having the drives mapped and see if the problem persists. Mapped drives can cause this issue because the credentails they are mapped with may have changed. Is it possible that the user mapped a network drive for someone else using his credentails, this could also be causing the problem if the user had for example changed his password since doing the map. You can run a trace on AD and determine from what machine the account lockout is coming but you will need to load an app to do this.
0
 

Author Comment

by:bergquistcompany
ID: 21771242
What software is that and is it easy to run?  I will have him remove his mappings to test, but given it's something we all get from the login script I'm not sure this is it, but will try anything.
0
 
LVL 2

Expert Comment

by:geedoubleu
ID: 21772022
Troubleshooting Account Lockouts, you first need to determine which computer/IP the bad passwords are coming from.

If you have lots of DC's, go to the Security Log on the PDC and look for all failed 675's and 680's.

The 675's are kerberos and will tell you which DC the bad password came from, then find the corresponding 675 on the DC, which will tell you which IP address it came from. Event 680's are NTLM and will tell you which computer they come from.

From these logs you can be sure which computer has the problem.

You then need to check that computer for Drive Mappings using different credentials or any other application that may cache credentials.

I've seen account lockouts caused by mis-configured intranets in mulit-domain environments that pass credntials from one domain to the wrong domain causing the lockout.

0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 

Author Comment

by:bergquistcompany
ID: 21779222
I don't have any 675 but I do have 680 on the Active Directory Domain Controller:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      TIMH
 Source Workstation:      IS0143
 Error Code:      0x0
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

However this is is new laptop and it was happening on his old one too so you think it is still something on the workstation itself?  I will have him try removing the drive mapping and see
0
 
LVL 2

Accepted Solution

by:
geedoubleu earned 500 total points
ID: 21779487
This Event 680 doesn't look like the cause.

You are looking for a failed 680 with error code 0c000006A and/or failed 675's with Failure Code 0x18.

A NTLM bad password it is very likely to be application or drive mapping that someone has typed their user name and password into, the password changes, but never updates the application or mapped drive.

A 675 will be a kerberos application such as a intranet using single-signon or Windows and usually means the user has just typed their password incorrectly.

The source workstation will definitely be what the log state,
0
 

Author Comment

by:bergquistcompany
ID: 21795238
It was the mapping even though the logon script maps those I'm not sure why the authentication would fail, but after removing the mappings it hasn't locked up.
0
 

Author Comment

by:bergquistcompany
ID: 22106817
We have removed the mappings, which resolved it and have now added him back to the login script to get two Group Policy drive mappings.  This was working fine for about 2 weeks and now we have lockouts again.  Any idea why being part of an OU getting Group Policy mappings would affect him only or could it possibly be something else?  Alockout.txt attached.
alockout.txt
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question