I rolled out 50 new workstations with the same image. 2 users who got new workstations, Windows XP Pro sp2 in a Windows 2003 mixed domain, are experiencing account lockouts. The lockouts happen while the users are logged into their workstations working and the lockouts happen at different times for the users. The users have different login scripts, although they both get the same X drive mapping that maps to a share in a different Windows 2000 domain. I replaced their workstations with new imaged workstations and they are still experiencing the account lockouts. The event logs don't reveal a lot. The only things I see using eventcomb are krbtgt errors for preauthentication coming from their current workstations. I removed their old workstations from the domain. There are no open Terminal Service connections. There are no cached credentials on their workstations (this is prohibited by group policy). None of the services are running under any user accounts. The last event in the logs before the lockout is, and the lockout occurred at 4:34:34:
Event Type: Warning
Event Source: LSASRV
Event Category: SPNEGO (Negotiator)
Event ID: 40961
Time: 4:19:12 PM
The Security System could not establish a secured connection with the server ldap/serv1pdc.x.or/x.org@x
.org. No authentication protocol was available.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp
The netlogon.log shows:
02/18 16:34:33 [MAILSLOT] Received ping from x-034271 x.ORG (null) on UDP LDAP
02/18 16:34:33 [MAILSLOT] x: Ping response 'Sam Logon Response Ex' (null) to \\x-034271 Site: Default-First-Site-Name on UDP LDAP
I'm not really sure how to interpret any of this. I'm at a loss on what else I can check to find the root cause of the problem. The only thing I can think of is to delete the users account and recreate it, but I would rather not do that because I'd like to find the actual issue.
Any help is greatly appreciated.