need help with random account lockouts

Posted on 2009-04-17
Last Modified: 2012-05-06
Our users at a particular site are receiving a strange account lockout problem where they will be working fine until their account locks out quite randomly.

there doesn't seem to be any pattern to this lockout, its very prevalant on a particular domain controller, but happens on all of them. The user will be working and will quite often notice that their account has locked by their browser telling them (bluecoat proxies run an agent on a dc to make sure user is allowed to browse).

This fix is a simple checkbox in AD U&C to unlock the account. But this is happening far too often to be a simple incorrect password. There are countless 675 errors on the DC in question and looking at them they all tell me bad password error.  but im not sure i believe that the user is constantly entering a bad password. im wondering if a process is entering the bad password for them?

any ideas on what to look at to get to the bottom of this?
Question by:dubwhizz

    Author Comment

    im seeing lots of 0x12 kerberos errors, workstation restriction or time restriction, but neither are configured other than for all workstations, all hours.

    i've noticed that a few of the accounts being locked out are accounts that havent ever been logged onto, i.e. the account has "must change password at next logon" enabled.
    LVL 57

    Accepted Solution

    It sounds like you may be dealing with the conficker worm,  from the random lockouts to the 675's in your logs.
     The DS team saw the same thing with the 675 errors here
    You need to scan your boxes with a good anti malware prgram, make sure you are patched up,  more info here

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Do You Know the 4 Main Threat Actor Types?

    Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

    At some point in your work you may run into a need to globally assign a specific file type to open using a specific program. I recently was tasked with completing this objective. In my case it was setting the TSV file association to open with Excel.…
    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now