Solved

account locking out

Posted on 2010-11-10
10
3,594 Views
Last Modified: 2012-05-10
One of my user accounts keeps getting locked out, at 03 and 33 minutes past the hour a bad password attempt is registered with the domain controller meaning that after 3 bad passwords or every 1.5 hours his account gets locked out.

I have checked user's PC but can't find anything set to run every half hour.  

Here is the event that gets logged on the Domain Controller after each failed logon attempt is generated:



Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/10/2010 10:03:10 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MyDomainController.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      User that keeps getting locked out
Source Workstation:      My ISA server
Error Code:      0xc000006a
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2010-11-10T10:03:10.058Z" />
    <EventRecordID>48935665</EventRecordID>
    <Correlation />
    <Execution ProcessID="604" ThreadID="10492" />
    <Channel>Security</Channel>
    <Computer>MyDomainController.mydomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="TargetUserName">User that keeps getting locked out</Data>
    <Data Name="Workstation">My ISA Server</Data>
    <Data Name="Status">0xc000006a</Data>
  </EventData>
</Event>



The "Source Workstation" is the name of my ISA server, which makes me think maybe it is somthing on the user's PC trying to authenticate with the ISA server.
0
Comment
Question by:carbonbase
10 Comments
 
LVL 6

Assisted Solution

by:LHT_ST
LHT_ST earned 25 total points
Comment Utility
double check it is coming from the users PC - could be this users account on another PC. shut down the PC close to one of the indicated times and see if it still locks out - or check overnight.

could be a service/application that has been configured with the users login details (which im guessing they have since changed as its locking out)
0
 
LVL 2

Accepted Solution

by:
aimcitp earned 50 total points
Comment Utility
LHT_ST is correct. Check the user and see if they have any connections to the ISA open.
 
The error message does not provide the smoking gun but does point you in the right direction.
C:\Err>err 0xc000006a
# for hex 0xc000006a / decimal -1073741718 :
  STATUS_WRONG_PASSWORD                                         ntstatus.h
# When trying to update a password, this return status
# indicates that the value provided as the current password
# is not correct.
# 1 matches found for "0xc000006a"
0
 
LVL 1

Assisted Solution

by:MPower32
MPower32 earned 50 total points
Comment Utility
Enable Netlogon Logging on the PDC and the authenticating DC for the user. Once done using Account lockout tool NLParse.exe traverse the Netlogon Log. We could also require to enable Netlogon Log on other DCs if the bad logon attempt is transitive.Select 0xC000006A and 0xC0000234 in NLParse.exe. Check the machine from where the bad logon attempts are coming. Once the machine is identified check for the following causes on the machine:

1.Programs
2.Service accounts
3.Bad Password Threshold is set too low
4.User logging on to multiple computers
5.Stored user names and passwords retain redundant credentials
6.Scheduled tasks
7.Persistent drive mappings
8.Active Directory replication
9.Disconnected Terminal Server sessions
0
 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 25 total points
Comment Utility
below tool has helped many to solve the issue.

http://www.netwrix.com/account_lockout_examiner.html

it can be mapped drive where user credentials are used & password is changed on other system.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 25 total points
Comment Utility
Finding root cause of Account lockouts
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/A_532-Finding-root-cause-of-Account-lockouts.html

Summary of some of the tools/steps you can use to find the root cause.....
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
Comment Utility
Who is the user - what is he within the organisation? An Admin?
The error message states that the SOURCE is the ISA Server - are there any boxes in your dmz that couyld have the users credentials used as a service account? What user traffic passes through the ISA inbound?
Has the user changed his password recently?
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 25 total points
Comment Utility
sounds like  Conficker worm.

scan you network by using this tool : http://www.mcafee.com/us/enterprise/confickertest.html
0
 

Author Closing Comment

by:carbonbase
Comment Utility
Turns out the problem was the user's active sync mobile phone connection to our exchange server, our active sync traffic passes through our ISA server before it hits our Exchange server.

I have awarded some points as all your answers seemed helpful in troubleshooting account lockout.  Thanks.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Thanks
0
 
LVL 66

Expert Comment

by:johnb6767
Comment Utility
Glad youre fixed.....
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Join & Write a Comment

Sometimes people don't understand why download speed shows differently for Windows than Linux.Specially, this article covers and shows the solution for throughput difference for Windows than a Linux machine. For this, I arranged a test scenario.I…
Today, still in the boom of Apple, PC's and products, nearly 50% of the computer users use Windows as graphical operating systems. If you are among those users who love windows, but are grappling to keep the system's hard drive optimized, then you s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now