account lockout

I have recently found a user that is being locked out-what seems about every hour.  i used the eventcombs and accountlockout status to determine where and what.
today I found on one of my 2003 servers this user was locked out with a 644 code after getting three of these;
events 675 three times.
Pre-authentication failed:
       User Name:      user1
       User ID:            domain\user1
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      127.0.0.1


I have been reading alot of entries about services and scheduled tasks - which there are none at this point for this user.  in addition- I am confused by the "client address" this is comming from.

looking at the event log closed- authentication for this user is being initiated by "stystem".

not sure where to go for this now....suggestions comments.
dtooth71Asked:
Who is Participating?
 
dtooth71Connect With a Mentor Author Commented:
i found the service that was locking the ccount out.
0
 
NikSystems SpecialistCommented:
You can use alockout.dll along with the locoutstatus.exe tool on the user's workstation, which should help  with figuring out what's going on with this specific account.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Regards,
Nik
0
 
dtooth71Author Commented:
I used the tools to get to the point I am now- the client address is 127.0.0.1 and this is coming from a server machine that I can not install these tools....
0
 
dtooth71Author Commented:
does anyone have an idea about the lockout comming from lookback address?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.