need help with random account lockouts

Our users at a particular site are receiving a strange account lockout problem where they will be working fine until their account locks out quite randomly.

there doesn't seem to be any pattern to this lockout, its very prevalant on a particular domain controller, but happens on all of them. The user will be working and will quite often notice that their account has locked by their browser telling them (bluecoat proxies run an agent on a dc to make sure user is allowed to browse).

This fix is a simple checkbox in AD U&C to unlock the account. But this is happening far too often to be a simple incorrect password. There are countless 675 errors on the DC in question and looking at them they all tell me bad password error.  but im not sure i believe that the user is constantly entering a bad password. im wondering if a process is entering the bad password for them?

any ideas on what to look at to get to the bottom of this?
Who is Participating?
Mike KlineCommented:
It sounds like you may be dealing with the conficker worm,  from the random lockouts to the 675's in your logs.
 The DS team saw the same thing with the 675 errors here
You need to scan your boxes with a good anti malware prgram, make sure you are patched up,  more info here
dubwhizzAuthor Commented:
im seeing lots of 0x12 kerberos errors, workstation restriction or time restriction, but neither are configured other than for all workstations, all hours.

i've noticed that a few of the accounts being locked out are accounts that havent ever been logged onto, i.e. the account has "must change password at next logon" enabled.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.