• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 651
  • Last Modified:

User continuousely getting locked out every 40 minuyes

I have a single user that keeps getting locked out every 40 minues or so. I am using the NetWrix app and I can see where the "Bad Pwd Count" increments every 4 minuyes or so. At 10, due to policy, the user is locked out. According to NetWrix, the workstation sending the bad passwords is "Emailserver" which is just as it sounds....our Exchange 2003 server. This is further verified by the Audit failures in the event viewer:

Logs created in ADC1
____________________
Time written: 8/31/2010 10:09:46 AM
User :NT AUTHORITY\SYSTEM
Event code :675
Log :Security
Source :Security
Type :Audit Failure
Pre-authentication failed:

      User Name:      jdoe

      User ID:            DOMAINNAME\jdoe

      Service Name:      krbtgt/domainname

      Pre-Authentication Type:      0x2

      Failure Code:      0x18

      Client Address:      192.168.1.7


****************************
Logs created in ADC2
____________________
Time written: 8/31/2010 10:09:46 AM
User :NT AUTHORITY\SYSTEM
Event code :675
Log :Security
Source :Security
Type :Audit Failure
Pre-authentication failed:

      User Name:      jdoe

      User ID:            DOMAINNAME\jdoe

      Service Name:      krbtgt/domainname

      Pre-Authentication Type:      0x2

      Failure Code:      0x18

      Client Address:      192.168.1.8


****************************
Logs created in ADC3
____________________
Time written: 8/29/2010 1:26:52 AM
User :NT AUTHORITY\SYSTEM
Event code :675
Log :Security
Source :Security
Type :Audit Failure
Pre-authentication failed:

      User Name:      Bmcgee

      User ID:            GWBLAWFIRM\Bmcgee

      Service Name:      krbtgt/gwblawfirm

      Pre-Authentication Type:      0x2

      Failure Code:      0x18

      Client Address:      192.168.1.8


****************************

Kind of strange is that with ADC1, the client address of 192.168.1.7 is the IP od ADC2. The IP of 192.168.1.8 is the EMAILSERVER.

Should I be looking at the client or the Exchange server? I have tried a ton of things on the client from mapped drives and service accounts to hidden user accounts to no avail. We do have a Metaframe server that I rebooted in case he still had a session going on there but according to Term Svcs he did not.

HELP

And Thanks

 
0
Mark Lewis
Asked:
Mark Lewis
  • 2
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Download Account Lockout and Management Tools from Microsoft
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

and use eventcombMT and LockoutStatus to troubleshoot. It should point where the problem is :)
0
 
Mark LewisAuthor Commented:
I've done that and I believe the problem has to do with the Exchange server but I have ran out of ideas to what's casing the issue.
0
 
AntsoairCommented:
Event ID 675 pre-authentication failures occur for many different reasons.  Look at the failure code to help troubleshoot.  In this case failure code 0x18 is Pre-authentication information was invalid.  This generaly means bad password.  Have you looked at the security logs on EMAILSERVER?  You need to check the security logs on EMAILSERVER for failed logon attempts that occur at or near the same time as the logs on the domain controllers.  The domain controllers authenticate the logon request but the actual logon could be at the e-mail server.  You may also want to look at the logs on ADC2 to compare.  Does this person use only one workstation?  Compare the logs on the workstation.  Did they recently change their password?  Many times cached credentials will cause problems after a user changes their password.
0
 
Mark LewisAuthor Commented:
I finally found the problem. I knew from the errors that it was our mail server trying to authenticate the user's account so I shut down his client machine and also made sure there were no term serv connections for him on the metaframe server. Sure enough, the bad pwd count kept rising and the only thing still left on that would want to contact our mail server was his droid. He had email set up on his droid using activesync but he didnt like it so we bought him a third party app called Touchdown to check his email and instead of deleting the old email software on the droid, we disabled it just in case his Touchdown software blem up. He "somehow" re-enabled it and it was constantly trying to log into Exchange with an old password.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now