Solved

User continuousely getting locked out every 40 minuyes

Posted on 2010-08-31
4
630 Views
Last Modified: 2013-12-04
I have a single user that keeps getting locked out every 40 minues or so. I am using the NetWrix app and I can see where the "Bad Pwd Count" increments every 4 minuyes or so. At 10, due to policy, the user is locked out. According to NetWrix, the workstation sending the bad passwords is "Emailserver" which is just as it sounds....our Exchange 2003 server. This is further verified by the Audit failures in the event viewer:

Logs created in ADC1
____________________
Time written: 8/31/2010 10:09:46 AM
User :NT AUTHORITY\SYSTEM
Event code :675
Log :Security
Source :Security
Type :Audit Failure
Pre-authentication failed:

      User Name:      jdoe

      User ID:            DOMAINNAME\jdoe

      Service Name:      krbtgt/domainname

      Pre-Authentication Type:      0x2

      Failure Code:      0x18

      Client Address:      192.168.1.7


****************************
Logs created in ADC2
____________________
Time written: 8/31/2010 10:09:46 AM
User :NT AUTHORITY\SYSTEM
Event code :675
Log :Security
Source :Security
Type :Audit Failure
Pre-authentication failed:

      User Name:      jdoe

      User ID:            DOMAINNAME\jdoe

      Service Name:      krbtgt/domainname

      Pre-Authentication Type:      0x2

      Failure Code:      0x18

      Client Address:      192.168.1.8


****************************
Logs created in ADC3
____________________
Time written: 8/29/2010 1:26:52 AM
User :NT AUTHORITY\SYSTEM
Event code :675
Log :Security
Source :Security
Type :Audit Failure
Pre-authentication failed:

      User Name:      Bmcgee

      User ID:            GWBLAWFIRM\Bmcgee

      Service Name:      krbtgt/gwblawfirm

      Pre-Authentication Type:      0x2

      Failure Code:      0x18

      Client Address:      192.168.1.8


****************************

Kind of strange is that with ADC1, the client address of 192.168.1.7 is the IP od ADC2. The IP of 192.168.1.8 is the EMAILSERVER.

Should I be looking at the client or the Exchange server? I have tried a ton of things on the client from mapped drives and service accounts to hidden user accounts to no avail. We do have a Metaframe server that I rebooted in case he still had a session going on there but according to Term Svcs he did not.

HELP

And Thanks

 
0
Comment
Question by:gwbmcse
  • 2
4 Comments
 
LVL 39

Expert Comment

by:Krzysztof Pytko
ID: 33567826
Download Account Lockout and Management Tools from Microsoft
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

and use eventcombMT and LockoutStatus to troubleshoot. It should point where the problem is :)
0
 

Author Comment

by:gwbmcse
ID: 33567874
I've done that and I believe the problem has to do with the Exchange server but I have ran out of ideas to what's casing the issue.
0
 
LVL 2

Expert Comment

by:Antsoair
ID: 33567926
Event ID 675 pre-authentication failures occur for many different reasons.  Look at the failure code to help troubleshoot.  In this case failure code 0x18 is Pre-authentication information was invalid.  This generaly means bad password.  Have you looked at the security logs on EMAILSERVER?  You need to check the security logs on EMAILSERVER for failed logon attempts that occur at or near the same time as the logs on the domain controllers.  The domain controllers authenticate the logon request but the actual logon could be at the e-mail server.  You may also want to look at the logs on ADC2 to compare.  Does this person use only one workstation?  Compare the logs on the workstation.  Did they recently change their password?  Many times cached credentials will cause problems after a user changes their password.
0
 

Accepted Solution

by:
gwbmcse earned 0 total points
ID: 33598855
I finally found the problem. I knew from the errors that it was our mail server trying to authenticate the user's account so I shut down his client machine and also made sure there were no term serv connections for him on the metaframe server. Sure enough, the bad pwd count kept rising and the only thing still left on that would want to contact our mail server was his droid. He had email set up on his droid using activesync but he didnt like it so we bought him a third party app called Touchdown to check his email and instead of deleting the old email software on the droid, we disabled it just in case his Touchdown software blem up. He "somehow" re-enabled it and it was constantly trying to log into Exchange with an old password.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Roaming Profiles 8 60
Windows 2012 R2 DHCP Policies 10 61
active directory 1 40
User profile Size Report 3 37
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Resolve DNS query failed errors for Exchange
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now