I have an account in our domain that gets locked out on a daily basis, and I'm trying to track down as to why. I know you can look in the Security Logs on the DC, which I have, but must not be looking at the correct info. It also is possible that the user could be logged in through Terminal Services somewhere else, but we have multiple domains and tons of servers. It could also be a mapped drive somewhere on another machine that is using an old password - I'm sure you folks know all the causes.
The problem is I can't seem to track it down. Event ID 644 isn't logged, and I was also searching for 529, 675, 676, 681 and 12294 (using eventcombmt.exe). Nothing really cut and dry, but it seems to be a frequenty entry for this one -
676 AUDIT FAILURE Security Wed Feb 18 13:12:53 2009 NT AUTHORITY\SYSTEM Authentication Ticket Request Failed: User Name: xxxxx Supplied Realm Name: xxxxxx.COM Service Name: krbtgt/xxxxxxx.COM Ticket Options: 0x40810010 Failure Code: 0x12 Client Address: xxxxxxxxxx
Our primary DC is Windows 2000 and our Backup is 2003. Domain type is Windows 2000
But I don't think that would be causing lockouts. Failure code 0x12 usually points to time of day restrictions for the user or the computer, or a time sync problem but I have verified all that. Of course, I could be going in the wrong direction here too. I would prefer not to use a 3rd party utility since obviously the tools in place work I'm just not finding what I need.
Any help is greatly appreciated!