Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

MAC causing user account lockouts continuously

Posted on 2008-10-28
11
Medium Priority
?
2,081 Views
Last Modified: 2013-12-05
We have a windows 2000 domain server with a number of users defined in active directory.

Recently one user changed her network password on her PC which was fine. But shortly after started getting locked out of her account. Looking at the security event log we are seeing the following events for that account ever 1-3 minutes:

Initially three times...

Event 681:
The logon to account: lucyml
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: ROSIE-G4-COMPUT
 failed. The error code was: 3221225578

Event 529:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      lucyml
       Domain:            xxx
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ROSIE-G4-COMPUT

And then ...

Event 681:
The logon to account: lucyml
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: ROSIE-G4-COMPUT
 failed. The error code was: 3221226036

and Event 539:

Logon Failure:
       Reason:            Account locked out
       User Name:      lucyml
       Domain:      xxx
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ROSIE-G4-COMPUT

As you can see the user lucyml is now locked out. The source is an Apple MAC G4 running OS-X. The strange thing is that the main user of the MAC isn't lucyml, they use an account name of rosiecp on that MAC. So there must be some application or network connection on this MAC that is trying to connect to some domain resource using the lucyml account which is not the default login. These two users do work closely together and lucyml does sometimes do work on the G4 but both users insist they have not made any connections or installed any applications with the lucyml account!

My MAC knowledge is very limited, I have looked for any obvious network connections or applications but I am stumped. Our only sollution so far is to un-plug the MAC from the network so that we can unlock the lucyml account on the DC. Any suggestions would be greatly appreciated.
0
Comment
Question by:Inv-Forbes
11 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 22822087
I suspect that the MAC is trying to connect to a share on the server and is using a stored username/password as credentials to access the share - this will generate a logon failure if the password has been changed and may lock the account if the threshold is exceeded.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22822197
Yes, I had assumed that was the problem as it only started when lucyml changed her password recenlty. How do I find out the whats causing connection? There are no network devices on the desktop, is there any way to list network connections to show the credentials in use?
0
 
LVL 7

Expert Comment

by:kguy18
ID: 22823635
You can look in the users keychain to see all the saved passwords in use, and the certificates that the computer is using as well. Sometimes when you change your domain password its not always updated in the keychain. You can get to the keychain by: Applications > Utilities > Keychain Access

Hope that helps.
0
Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22839487
Thanks,

I checked the Keychain as advised but it only contains the details for the main user. No other certificates or anything that suggests lucyml had access from this machine. I spent some time going through all the configuration files in /etc looking for any reference to the lucyml account but still nothing.

I'm completely stumped.
0
 
LVL 1

Expert Comment

by:Cronock
ID: 22908033
I know you said that you've checked the keychain, so this may be irrelevant. We had a similar issue when users were connecting with Entourage.  Entourage would keep trying to connect with the users old password, which was not saved, without error warnings.  This would immediately lock out that account without any obvious error.  
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22920139
OK Thanks, I'll have a look but i don't think they are using Entourage, but I'll check anyway.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22920963
Entourage hadn't been used, there were no accounts defined in it. The user seems to be using Outlook Express running under MAC OS 9.x in emulation for some reason. Again I checked the accounts but it only has the rosiecp user defined not the lucyml account. I think we may have to do a clean install of OS X to get round this.
0
 
LVL 1

Expert Comment

by:Cronock
ID: 22923426
Something a little simpler may be to create a new user, login as that user and see if it locks the machine out, then you might just rebuild the user data rather than install all new apps to save you a little time.  If it still does it, at least you know it wasn't user-level and can then wipe the OS.  Very interesting to say the least.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22928673
Ah yes, I hadn't thought of that. I think we're just going to bight the bullett and do the clean install, but I'll try creating the lucyml account first just to see what happens.

Thanks. I'll report on the results.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22931454
I tried creating a lucyml account with admin privs on the G4, rebooted and logged in with this account. Still had the problem. I tried creating a third account called test but still the same problem. So it must be some daemon that starts at boot which has got the lucyml credentials from somewhere?

We are now going to do a full clean install.
Thanks for your help.
0
 
LVL 1

Accepted Solution

by:
Inv-Forbes earned 0 total points
ID: 23040877
Re-installed MAC OS-X.
0

Featured Post

Vote for the Most Valuable Expert

It’s time to recognize experts that go above and beyond with helpful solutions and engagement on site. Choose from the top experts in the Hall of Fame or on the right rail of your favorite topic page. Look for the blue “Nominate” button on their profile to vote.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
This article outlines the struggles that Macs encounter in Windows-dominated workplace environments – and what Mac users can do to improve their network connectivity and remain productive.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
this video summaries big data hadoop online training demo (http://onlineitguru.com/big-data-hadoop-online-training-placement.html) , and covers basics in big data hadoop .

963 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question