[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now

x
?
Solved

account lockout

Posted on 2009-04-10
4
Medium Priority
?
244 Views
Last Modified: 2012-05-06
I have recently found a user that is being locked out-what seems about every hour.  i used the eventcombs and accountlockout status to determine where and what.
today I found on one of my 2003 servers this user was locked out with a 644 code after getting three of these;
events 675 three times.
Pre-authentication failed:
       User Name:      user1
       User ID:            domain\user1
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      127.0.0.1


I have been reading alot of entries about services and scheduled tasks - which there are none at this point for this user.  in addition- I am confused by the "client address" this is comming from.

looking at the event log closed- authentication for this user is being initiated by "stystem".

not sure where to go for this now....suggestions comments.
0
Comment
Question by:dtooth71
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
4 Comments
 
LVL 17

Expert Comment

by:Nik
ID: 24117345
You can use alockout.dll along with the locoutstatus.exe tool on the user's workstation, which should help  with figuring out what's going on with this specific account.

http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Regards,
Nik
0
 

Author Comment

by:dtooth71
ID: 24117690
I used the tools to get to the point I am now- the client address is 127.0.0.1 and this is coming from a server machine that I can not install these tools....
0
 

Author Comment

by:dtooth71
ID: 24129383
does anyone have an idea about the lockout comming from lookback address?
0
 

Accepted Solution

by:
dtooth71 earned 0 total points
ID: 24148900
i found the service that was locking the ccount out.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question