How to identify what is causing login failure

Posted on 2009-02-09
Last Modified: 2012-05-06
I have a remote user who changed his password through a RDP session. Then he connected his VPN and changed the local password on his laptop. Since then his account continues to get locked. I completely removed his profile from the laptop, forced a password change (while the laptop was physically on the network) and recreated his Exchange profile. It worked fine for a few days and now it is doing the same thing. I am seeing the following errors in the security log.

Logon Failure:
       Reason:            Account locked out
       User Name:      <username>
       Domain:      <mydomainname>
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      Server-EXCH (this is the weird part. this is not his pc name. It is my exchange server name)
       Caller User Name:      Server-EXCH$
       Caller Domain:      <mydomainname>
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 4652
       Transited Services: -
       Source Network Address:
       Source Port:      54918

This appears to be a connection through Outlook to the Exchange server issue but I cannot find where it is broke.

Any help would be appreciated

Question by:gf0326
    LVL 9

    Expert Comment

    Does this user have some 3rd party application that is trying to login and access his exchange account? for example - a vista sidebar gadget that is checking for new emails?

    Author Comment

    No. the only thing that was out of the ordinary is originally he was setup to access his email via RPC over HTTP. When I removed his Outlook and Windows profile from the machine I intentionally did not set that back up.
    LVL 4

    Accepted Solution

    If you use a lot of RDP, this user may have an running session on a server with the old credentials.

    Use the Microsoft Account Lockout tool to find where the lockout is occuring.

    Author Comment

    We do use a lot of RDP but I have it set to reset the connections after 1 hour. I verified in Terminal Service Manager he does not have a disconnected session.

    I ran the tool and it showed he was locked out. I unlocked and turned on netlogon logging. What else can I or should I do with this tool?
    LVL 3

    Expert Comment

    logon type 8 means ,it's network logon which is sending clear text password.The process it's talk about is   "Logon Process:      Advapi"  .It can be a Virus.First scan for advapi virus

    For all accnt lockout issues we should figure out the source who is sending the bad password.Enabling netlogon log will help you to find the source machine

    you can use Advapi in ASP scripts to send logon info.

    In your domain there is one ASP application which is sending wrong password

    Following link explains about Advapi in ASP


    Author Closing Comment

    Once I ran the tool there was a connection to the old data server still attempting to sync the 'My Documents' under a different user name. I was able to unlock the account and then delete the old server from sync set on workstation. Thanks for the help

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    I’m often asked about newer and larger USB drives connected to SBS2008 and 2011 failing Windows Server Backup vs the older USB drives not failing. As disk space continues to grow and drive technology change SBS2008 and some SBS2011 end up with the f…
    Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    732 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    23 Experts available now in Live!

    Get 1:1 Help Now