Solved

account lockout

Posted on 2009-04-10
4
241 Views
Last Modified: 2012-05-06
I have recently found a user that is being locked out-what seems about every hour.  i used the eventcombs and accountlockout status to determine where and what.
today I found on one of my 2003 servers this user was locked out with a 644 code after getting three of these;
events 675 three times.
Pre-authentication failed:
       User Name:      user1
       User ID:            domain\user1
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      127.0.0.1


I have been reading alot of entries about services and scheduled tasks - which there are none at this point for this user.  in addition- I am confused by the "client address" this is comming from.

looking at the event log closed- authentication for this user is being initiated by "stystem".

not sure where to go for this now....suggestions comments.
0
Comment
Question by:dtooth71
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 17

Expert Comment

by:Nik
ID: 24117345
You can use alockout.dll along with the locoutstatus.exe tool on the user's workstation, which should help  with figuring out what's going on with this specific account.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Regards,
Nik
0
 

Author Comment

by:dtooth71
ID: 24117690
I used the tools to get to the point I am now- the client address is 127.0.0.1 and this is coming from a server machine that I can not install these tools....
0
 

Author Comment

by:dtooth71
ID: 24129383
does anyone have an idea about the lockout comming from lookback address?
0
 

Accepted Solution

by:
dtooth71 earned 0 total points
ID: 24148900
i found the service that was locking the ccount out.
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
In-place Upgrading Dirsync to Azure AD Connect
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question