Solved

MAC causing user account lockouts continuously

Posted on 2008-10-28
11
1,976 Views
Last Modified: 2013-12-05
We have a windows 2000 domain server with a number of users defined in active directory.

Recently one user changed her network password on her PC which was fine. But shortly after started getting locked out of her account. Looking at the security event log we are seeing the following events for that account ever 1-3 minutes:

Initially three times...

Event 681:
The logon to account: lucyml
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: ROSIE-G4-COMPUT
 failed. The error code was: 3221225578

Event 529:
Logon Failure:
       Reason:            Unknown user name or bad password
       User Name:      lucyml
       Domain:            xxx
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ROSIE-G4-COMPUT

And then ...

Event 681:
The logon to account: lucyml
 by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 from workstation: ROSIE-G4-COMPUT
 failed. The error code was: 3221226036

and Event 539:

Logon Failure:
       Reason:            Account locked out
       User Name:      lucyml
       Domain:      xxx
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      ROSIE-G4-COMPUT

As you can see the user lucyml is now locked out. The source is an Apple MAC G4 running OS-X. The strange thing is that the main user of the MAC isn't lucyml, they use an account name of rosiecp on that MAC. So there must be some application or network connection on this MAC that is trying to connect to some domain resource using the lucyml account which is not the default login. These two users do work closely together and lucyml does sometimes do work on the G4 but both users insist they have not made any connections or installed any applications with the lucyml account!

My MAC knowledge is very limited, I have looked for any obvious network connections or applications but I am stumped. Our only sollution so far is to un-plug the MAC from the network so that we can unlock the lucyml account on the DC. Any suggestions would be greatly appreciated.
0
Comment
Question by:Inv-Forbes
11 Comments
 
LVL 70

Expert Comment

by:KCTS
ID: 22822087
I suspect that the MAC is trying to connect to a share on the server and is using a stored username/password as credentials to access the share - this will generate a logon failure if the password has been changed and may lock the account if the threshold is exceeded.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22822197
Yes, I had assumed that was the problem as it only started when lucyml changed her password recenlty. How do I find out the whats causing connection? There are no network devices on the desktop, is there any way to list network connections to show the credentials in use?
0
 
LVL 7

Expert Comment

by:kguy18
ID: 22823635
You can look in the users keychain to see all the saved passwords in use, and the certificates that the computer is using as well. Sometimes when you change your domain password its not always updated in the keychain. You can get to the keychain by: Applications > Utilities > Keychain Access

Hope that helps.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22839487
Thanks,

I checked the Keychain as advised but it only contains the details for the main user. No other certificates or anything that suggests lucyml had access from this machine. I spent some time going through all the configuration files in /etc looking for any reference to the lucyml account but still nothing.

I'm completely stumped.
0
 
LVL 1

Expert Comment

by:Cronock
ID: 22908033
I know you said that you've checked the keychain, so this may be irrelevant. We had a similar issue when users were connecting with Entourage.  Entourage would keep trying to connect with the users old password, which was not saved, without error warnings.  This would immediately lock out that account without any obvious error.  
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22920139
OK Thanks, I'll have a look but i don't think they are using Entourage, but I'll check anyway.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22920963
Entourage hadn't been used, there were no accounts defined in it. The user seems to be using Outlook Express running under MAC OS 9.x in emulation for some reason. Again I checked the accounts but it only has the rosiecp user defined not the lucyml account. I think we may have to do a clean install of OS X to get round this.
0
 
LVL 1

Expert Comment

by:Cronock
ID: 22923426
Something a little simpler may be to create a new user, login as that user and see if it locks the machine out, then you might just rebuild the user data rather than install all new apps to save you a little time.  If it still does it, at least you know it wasn't user-level and can then wipe the OS.  Very interesting to say the least.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22928673
Ah yes, I hadn't thought of that. I think we're just going to bight the bullett and do the clean install, but I'll try creating the lucyml account first just to see what happens.

Thanks. I'll report on the results.
0
 
LVL 1

Author Comment

by:Inv-Forbes
ID: 22931454
I tried creating a lucyml account with admin privs on the G4, rebooted and logged in with this account. Still had the problem. I tried creating a third account called test but still the same problem. So it must be some daemon that starts at boot which has got the lucyml credentials from somewhere?

We are now going to do a full clean install.
Thanks for your help.
0
 
LVL 1

Accepted Solution

by:
Inv-Forbes earned 0 total points
ID: 23040877
Re-installed MAC OS-X.
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

Some time ago I faced the need to use a uniform folder structure that spanned across numerous sites of an enterprise to be used as a common repository for the Software packages of the Configuration Manager 2007 infrastructure. Because the procedu…
In this article we will discuss some EI Capitan Mail app issues and provide some manual process to resolve them.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now