[Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1084
  • Last Modified:

Troubleshooting Account Lockouts in Domain

I have an account in our domain that gets locked out on a daily basis, and I'm trying to track down as to why.  I know you can look in the Security Logs on the DC, which I have, but must not be looking at the correct info.  It also is possible that the user could be logged in through Terminal Services somewhere else, but we have multiple domains and tons of servers.  It could also be a mapped drive somewhere on another machine that is using an old password - I'm sure you folks know all the causes.

The problem is I can't seem to track it down.  Event ID 644 isn't logged, and I was also searching for 529, 675, 676, 681 and 12294 (using eventcombmt.exe).  Nothing really cut and dry, but it seems to be a frequenty entry for this one -

676      AUDIT FAILURE      Security      Wed Feb 18 13:12:53 2009      NT AUTHORITY\SYSTEM      Authentication Ticket Request Failed:     User Name: xxxxx     Supplied Realm Name: xxxxxx.COM     Service Name: krbtgt/xxxxxxx.COM     Ticket Options: 0x40810010     Failure Code: 0x12     Client Address: xxxxxxxxxx

(edited some)

Our primary DC is Windows 2000 and our Backup is 2003.  Domain type is Windows 2000

But I don't think that would be causing lockouts.  Failure code 0x12 usually points to time of day restrictions for the user or the computer, or a time sync problem but I have verified all that.  Of course, I could be going in the wrong direction here too.  I would prefer not to use a 3rd party utility since obviously the tools in place work I'm just not finding what I need.

Any help is greatly appreciated!
0
rosederekj
Asked:
rosederekj
  • 8
  • 6
  • 2
  • +2
1 Solution
 
wantabe2Commented:
Take a look at these. Too many options to post here. Surely one of the things listed here will send you in the right direction:

http://www.mail.nih.gov/user/faq/AccountLockouts.htm

0
 
zelron22Commented:
Have you followed up on the client address?
0
 
rosederekjAuthor Commented:
The client address is the PC of the user who is being locked out.  I'm aware of most of those causes Wantabe2, but I guess I'm asking is if there is a place I can look that's telling me which one it is.  I would doubt it's a hotfix problem, as he is the only user but I guess it's possible.  All hotfixes are through WUS and most machines are current.  

For instance, say there was a service running with his ID somewhere or a mapped drive somewhere, how could I find out?  I looked at the services on his machine and they are all "Local System" or "network service".  Should be noted that his machine has a local account with the same name as his domain account.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
bcoyxpCommented:
have you monitored the frequency of lockouts?

be aware that "conficker worm" is on the wild... you may check your domain and isolate right away the problematic machine. for your own security. most of all updater you antivirus.

try to check if BITS is not stopped. if so, a possible infection had occured.

our enterprise domain (more than 5000) have been affected with the worm, luckily we were able to isolate the infected machines.

Regards,
0
 
zelron22Commented:
Yeah, there is also plenty of spyware, trojans, etc. that can do that.  You can either try to scan the machine and fix it or just flatten it and rebuild it if you have it imaged.
0
 
wantabe2Commented:
0
 
rosederekjAuthor Commented:
BITS is started on the machine, and I recognize it could be virii/spyware.  Maybe I'm asking the question wrong.

Regardless of the cause, the account exists and is being locked out on the domain controller.  Where can I look or what specific event IDs can I look at, that will tell me what from the machine is causing it?
0
 
zelron22Commented:
It's the machine with the client address in the audit record.  Take that machine off of the network, and unlock the account.  I bet it won't lock up again.
0
 
rosederekjAuthor Commented:
Is that a practical solution though?  Is there a way I can find out what on the machine is actually doing it?  How do we know that the machine is the culrpit?  Is the Event ID that I posted the correct entry?
0
 
AmericomCommented:
This tool can help you troubleshoot the root cause of the account lockout:
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
0
 
rosederekjAuthor Commented:
I have started using those - most notably AcctInfo.dll and eventcombmt.exe - maybe I need to look into alockout.dll a little more and run that from this machine in question.  Would you agree or is there a better approach or another tool?
0
 
zelron22Commented:
How do we know the machine is the culprit?

676      AUDIT FAILURE      Security      Wed Feb 18 13:12:53 2009      NT AUTHORITY\SYSTEM      Authentication Ticket Request Failed:     User Name: xxxxx     Supplied Realm Name: xxxxxx.COM     Service Name: krbtgt/xxxxxxx.COM     Ticket Options: 0x40810010     Failure Code: 0x12     Client Address: xxxxxxxxxx

This is a pretty good indicator that the machine with the client address: xxxxxxxx is the culprit.  To solve any problem, you need to isolate it.  Taking the machine off of the network isolates the problem.  If you take the machine off of the network and unlock the account, and it doesn't lock-out again, then it's pretty clear that it's something on the machine.

Then, you can either start running AV, anti-spyware, or if time is valuable to you, wipe the machine clean and reinstall the OS.  
0
 
rosederekjAuthor Commented:
Alockout.txt does not seem to get created on Windows Vista after everything is setup before that.  Is this a known issue?
0
 
rosederekjAuthor Commented:
Sorry to bump my own question - just looking to see if anyone has been able to get alockout.txt created on Vista?  I have it working on XP but it won't create on Vista.  
0
 
zelron22Commented:
Vista is not listed among the supported operating systems for alockout.

0
 
rosederekjAuthor Commented:
Thanks Zelron - I thought not.  Do you know of another method I can use to troubleshoot this on the client side?
0
 
zelron22Commented:
If you're not finding any spyware, or scheduled tasks, or services which are trying to use the users account, I'd just wipe the machine and reload it.  Some viruses/worms/etc. disable antivirus and make it very hard to find them.

If you really want to see what's happening, use a packet sniffer and look at the packets.  Either load it on the machine, or plug the machine into a hub (not a switch) and another machine with the packet sniffer on it also into the hub.  That might give you a better idea.  

Good luck.
0
 
rosederekjAuthor Commented:
Interestingly enough it was caused by a misconfiguration of SQL Query Analyzer - once that was fixed the lockouts no longer occured.  Thanks everyone!
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 8
  • 6
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now