• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 522
  • Last Modified:

Account being locked out ever few minutes

We are using WIndows 03 on a domain, with all the users using XP machines.  On Friday, one of our users changed her password and now something is causing her account to be locked out on the local DC ever few moments.  She's not an outlook user, and other than mapped drives there isn't any other reason we can think of that her PC should be trying to log on to the server so often.  Is there a service or something that uses credentials to talk to the server that I don't know about?
0
adml_shake
Asked:
adml_shake
  • 3
  • 2
1 Solution
 
Wes MillerInfromation Technology SupportCommented:
On her machine from command type:
netsh ras set tracing * enabled
Let her system be until the lock out again occurs then when it does look at the tracing logs found in c:\windows\tracing to see what netwrok activity was occuring during that time when the lock out occurred to find the cuase.
To stop the tracing, from command type:  netsh ras set tracing * disabled
 
wes
0
 
dexITCommented:
Have you seen any security audit entries in eventvwr for this user?
0
 
adml_shakeAuthor Commented:
Here is the output I got from running that for a few moments (it didn't take long to disable the account
There was more, but it basically just repeated this over and over.  Thanks for the help.

1692] 11:07:57: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1279
   Local subnet only:      False
[1692] 11:07:57: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1279
[1692] 11:07:57: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:07:57: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1279
   Local subnet only:      False
[1688] 11:08:01: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1280
   Local subnet only:      False
[1688] 11:08:01: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1280
[1688] 11:08:01: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:01: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1280
   Local subnet only:      False
[396] 11:08:02: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1281
   Local subnet only:      False
[396] 11:08:02: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1281
[396] 11:08:02: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:02: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1281
   Local subnet only:      False
[1692] 11:08:07: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1282
   Local subnet only:      False
[1692] 11:08:07: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1282
[1692] 11:08:07: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:07: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1282
   Local subnet only:      False
[1688] 11:08:12: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1283
   Local subnet only:      False
[1688] 11:08:12: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1283
[1688] 11:08:12: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:12: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1283
   Local subnet only:      False
[396] 11:08:17: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1284
   Local subnet only:      False
[396] 11:08:17: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1284
[396] 11:08:17: FwNotifyOnDeny: Wildcarded UDP port.
0
Cloud Class® Course: MCSA MCSE Windows Server 2012

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

 
adml_shakeAuthor Commented:
dexIT:

No, I looked in the security logs and the others but didn't see anything
0
 
Wes MillerInfromation Technology SupportCommented:
Looks like lsass.exe is not able to obtain a proper handshake with the server.
That file has been known to be a attacked by viruses so I'd scan her system to make sure it is virus free.  See: http://www.softwarepatch.com/tips/isass.html
Microsoft's Malicious Software Removal Tool can also be installed to remove it: http://support.microsoft.com/kb/890830/
Wes
 
0
 
Wes MillerInfromation Technology SupportCommented:
Also see this link:  http://help.lockergnome.com/windows2/Help-finding-account-lockout-source--ftopict454078.html
Help in finding account lockout source

Solution:
Well I found it by sheer luck and coincidence. One of the techs called
me about an DHCP address reservation and as I was poking around the
server config I looked at the Advanced tab and then the credentials
button. Sure enough there was the offending account. I was having
trouble with Dynamic DNS and used this account to troubleshoot and
forgot all about it; sloppy administration. You would have thought
that somewhere in the logs it would have mentioned DHCP. It was also
why sometimes it would take an hour to lock the account (later in the
day) and sometimes it would lock in 5 minutes (in the morning).
Thanks for trying! Hopefully this will help someone.
 
Hope that helps you, Wes
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now