need help with random account lockouts

Posted on 2009-04-17
Medium Priority
Last Modified: 2012-05-06
Our users at a particular site are receiving a strange account lockout problem where they will be working fine until their account locks out quite randomly.

there doesn't seem to be any pattern to this lockout, its very prevalant on a particular domain controller, but happens on all of them. The user will be working and will quite often notice that their account has locked by their browser telling them (bluecoat proxies run an agent on a dc to make sure user is allowed to browse).

This fix is a simple checkbox in AD U&C to unlock the account. But this is happening far too often to be a simple incorrect password. There are countless 675 errors on the DC in question and looking at them they all tell me bad password error.  but im not sure i believe that the user is constantly entering a bad password. im wondering if a process is entering the bad password for them?

any ideas on what to look at to get to the bottom of this?
Question by:dubwhizz

Author Comment

ID: 24168532
im seeing lots of 0x12 kerberos errors, workstation restriction or time restriction, but neither are configured other than for all workstations, all hours.

i've noticed that a few of the accounts being locked out are accounts that havent ever been logged onto, i.e. the account has "must change password at next logon" enabled.
LVL 57

Accepted Solution

Mike Kline earned 750 total points
ID: 24169940
It sounds like you may be dealing with the conficker worm,  from the random lockouts to the 675's in your logs.
 The DS team saw the same thing with the 675 errors here  http://blogs.technet.com/askds/archive/2009/04/16/conficker-causes-lsass-to-consume-cpu-time-on-domain-controllers.aspx
You need to scan your boxes with a good anti malware prgram, make sure you are patched up,  more info here

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question