Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2092
  • Last Modified:

MAC causing user account lockouts continuously

We have a windows 2000 domain server with a number of users defined in active directory.

Recently one user changed her network password on her PC which was fine. But shortly after started getting locked out of her account. Looking at the security event log we are seeing the following events for that account ever 1-3 minutes:

Initially three times...

Event 681:
The logon to account: lucyml
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: ROSIE-G4-COMPUT
 failed. The error code was: 3221225578

Event 529:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      lucyml
       Domain:            xxx
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ROSIE-G4-COMPUT

And then ...

Event 681:
The logon to account: lucyml
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: ROSIE-G4-COMPUT
 failed. The error code was: 3221226036

and Event 539:

Logon Failure:
       Reason:            Account locked out
       User Name:      lucyml
       Domain:      xxx
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ROSIE-G4-COMPUT

As you can see the user lucyml is now locked out. The source is an Apple MAC G4 running OS-X. The strange thing is that the main user of the MAC isn't lucyml, they use an account name of rosiecp on that MAC. So there must be some application or network connection on this MAC that is trying to connect to some domain resource using the lucyml account which is not the default login. These two users do work closely together and lucyml does sometimes do work on the G4 but both users insist they have not made any connections or installed any applications with the lucyml account!

My MAC knowledge is very limited, I have looked for any obvious network connections or applications but I am stumped. Our only sollution so far is to un-plug the MAC from the network so that we can unlock the lucyml account on the DC. Any suggestions would be greatly appreciated.
0
Inv-Forbes
Asked:
Inv-Forbes
1 Solution
 
KCTSCommented:
I suspect that the MAC is trying to connect to a share on the server and is using a stored username/password as credentials to access the share - this will generate a logon failure if the password has been changed and may lock the account if the threshold is exceeded.
0
 
Inv-ForbesAuthor Commented:
Yes, I had assumed that was the problem as it only started when lucyml changed her password recenlty. How do I find out the whats causing connection? There are no network devices on the desktop, is there any way to list network connections to show the credentials in use?
0
 
kguy18Commented:
You can look in the users keychain to see all the saved passwords in use, and the certificates that the computer is using as well. Sometimes when you change your domain password its not always updated in the keychain. You can get to the keychain by: Applications > Utilities > Keychain Access

Hope that helps.
0
[Webinar] Database Backup and Recovery

Does your company store data on premises, off site, in the cloud, or a combination of these? If you answered “yes”, you need a data backup recovery plan that fits each and every platform. Watch now as as Percona teaches us how to build agile data backup recovery plan.

 
Inv-ForbesAuthor Commented:
Thanks,

I checked the Keychain as advised but it only contains the details for the main user. No other certificates or anything that suggests lucyml had access from this machine. I spent some time going through all the configuration files in /etc looking for any reference to the lucyml account but still nothing.

I'm completely stumped.
0
 
CronockCommented:
I know you said that you've checked the keychain, so this may be irrelevant. We had a similar issue when users were connecting with Entourage.  Entourage would keep trying to connect with the users old password, which was not saved, without error warnings.  This would immediately lock out that account without any obvious error.  
0
 
Inv-ForbesAuthor Commented:
OK Thanks, I'll have a look but i don't think they are using Entourage, but I'll check anyway.
0
 
Inv-ForbesAuthor Commented:
Entourage hadn't been used, there were no accounts defined in it. The user seems to be using Outlook Express running under MAC OS 9.x in emulation for some reason. Again I checked the accounts but it only has the rosiecp user defined not the lucyml account. I think we may have to do a clean install of OS X to get round this.
0
 
CronockCommented:
Something a little simpler may be to create a new user, login as that user and see if it locks the machine out, then you might just rebuild the user data rather than install all new apps to save you a little time.  If it still does it, at least you know it wasn't user-level and can then wipe the OS.  Very interesting to say the least.
0
 
Inv-ForbesAuthor Commented:
Ah yes, I hadn't thought of that. I think we're just going to bight the bullett and do the clean install, but I'll try creating the lucyml account first just to see what happens.

Thanks. I'll report on the results.
0
 
Inv-ForbesAuthor Commented:
I tried creating a lucyml account with admin privs on the G4, rebooted and logged in with this account. Still had the problem. I tried creating a third account called test but still the same problem. So it must be some daemon that starts at boot which has got the lucyml credentials from somewhere?

We are now going to do a full clean install.
Thanks for your help.
0
 
Inv-ForbesAuthor Commented:
Re-installed MAC OS-X.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now