Help with account lockout issue (very strange)

Posted on 2009-12-22
Last Modified: 2012-05-08
I'm pretty well versed on tracking down account lockouts in a windows domain.  In fact I'm tracing such an issue several times a week as we have a pretty strict password policy that forces users to change pw every 42 days.  However I've run across such an issue that I cannot seem to narrow down.

I have a user, a server administrator, whos account locks every night at 10 PM.  I cannot for the life of me track where the bad passwords are coming from.

I make extensive use of the MS Account Lockout tools, but eventcomb is not being any help.

I've narrowed the problem down to several Event ID 680 events (attached as code snippet).  It would seem these are NTLM authentication attempts, however the problem is no source workstation is listed!  This is what I usually go by to find the culprit machine.

If I have no machine listed to investigate, how can I possibly track this down?  Are there any tools that I can set up scheduled captures of login information?  Is there some additional logging I can configure to better trap this failed logon attempt?  The DC event logs are just no help here.

Event Type:	Failure Audit

Event Source:	Security

Event Category:	Account Logon 

Event ID:	680

Date:		12/21/2009

Time:		10:00:33 PM


Computer:	NOAMIND01DCX01



 Logon account:	MyUserName

 Source Workstation:	

 Error Code:	0xC000006A

For more information, see Help and Support Center at

Open in new window

Question by:MMcDonald
    LVL 17

    Expert Comment

    Hi Mathew,

    I have the similar issues in our domain and I can surely suggest that you try to use Account Lockout Examiner tool which can track from which machine/service/scheduled task etc, bad password attempts are coming from.
    There's a 20 day evaluation period which should be enough for you to find the problematic machine:
    LVL 12

    Expert Comment

    The other question to go through is 'What happens at 10PM?". Backup jobs executing, overnight script processing, etc.? Maybe this can help identify which host is causing the lockout.

    Author Comment

    Thanks for the suggestion.  I'm looking into it now.

    This is of course one of the first questions I ask as an enterprise administrator.  Unfortunately there's no easy answer there.  We have over 500 servers in the environment in countries all over the world.  There are different backup schedules running at any given site (some backups run all throughout the night).  It could very well be a script/scheduled task, but the problem is identifying *where* they are running.  We can usually track this down by the data the event logs provide.  In this case, there is no information to go on in the event logs.

    The only thing I have right now, is the lockout seems to always happen on a DC in a particular site.  That should help me narrow it down, but I still have a hundred or more servers in this site alone as it is a core hub site for the entire enterprise.  Many satellite sites utilize this core site for various services, i.e. domain authentication, so that ups the complexity.

    Author Comment

    Well, I tried the NetWrix Account Lockout Examiner tool that was suggested and that was a bust.  It basically tells me the same thing I've already found in the event logs:  The account was locked.

    It fails to list the workstation that actually sent the bad passwords!!  This information is not being logged, at all.

    I'm stumped on where to go from here.
    LVL 12

    Expert Comment

    How about something off the domain? PDA, Smart Phone, web service, etc.? I'm thinking these access attempts would fail to record a source workstation.

    Author Comment

    I guess that's possible, but it seems unlikely.  A PDA contacts a server somewhere (be it OWA, or some other web service).  That server is what handles the authentication and the DC logs should reflect the authentication request coming from that server.

    The domain is supposed to log all authentication attempts and where they come from.  That seems like a pretty big security risk, and a complete waste of auditing if there are ways to circumvent the recording of authentication requests.
    LVL 7

    Expert Comment

    did you enabled  debug logging for the Net Logon service on the domain controller  NOAMIND01DCX01?

    Accepted Solution

    Actually yes, after not getting anywhere, I did indeed turn on debug logging for the Net Logon Service.  That did get me farther than I were as I could see the bad logons were being passed transitively from another DC (why the event log didn't log this kind of information is beyond me).

    Ultimately it lead me to a particular DC, but the netlogon logs for that particular DC didn't show *anything*.  It was as if that DC itself was sending the bad lockout information.

    Ultimately just by stroke of luck, my admin (who was getting locked) stumbled upon the culprit.  It turns out it was his account being tied to our Tripwire monitoring.  He saw logon errors in some SQL logs while parsing them.

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    This may not be a text book method to resolve VSS backup issues but it seemed to have worked on few of the Windows 2003 servers we had issues while performing a Volume Shadow Copy backup. If you have issues while performing a shadow copy backup usin…
    Learn about cloud computing and its benefits for small business owners.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    16 Experts available now in Live!

    Get 1:1 Help Now