I'm pretty well versed on tracking down account lockouts in a windows domain. In fact I'm tracing such an issue several times a week as we have a pretty strict password policy that forces users to change pw every 42 days. However I've run across such an issue that I cannot seem to narrow down.
I have a user, a server administrator, whos account locks every night at 10 PM. I cannot for the life of me track where the bad passwords are coming from.
I make extensive use of the MS Account Lockout tools, but eventcomb is not being any help.
I've narrowed the problem down to several Event ID 680 events (attached as code snippet). It would seem these are NTLM authentication attempts, however the problem is no source workstation is listed! This is what I usually go by to find the culprit machine.
If I have no machine listed to investigate, how can I possibly track this down? Are there any tools that I can set up scheduled captures of login information? Is there some additional logging I can configure to better trap this failed logon attempt? The DC event logs are just no help here.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Time: 10:00:33 PM
User: NT AUTHORITY\SYSTEM
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: MyUserName
Error Code: 0xC000006A
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.