Solved

account locking out

Posted on 2010-11-10
10
3,608 Views
Last Modified: 2012-05-10
One of my user accounts keeps getting locked out, at 03 and 33 minutes past the hour a bad password attempt is registered with the domain controller meaning that after 3 bad passwords or every 1.5 hours his account gets locked out.

I have checked user's PC but can't find anything set to run every half hour.  

Here is the event that gets logged on the Domain Controller after each failed logon attempt is generated:



Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/10/2010 10:03:10 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MyDomainController.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      User that keeps getting locked out
Source Workstation:      My ISA server
Error Code:      0xc000006a
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2010-11-10T10:03:10.058Z" />
    <EventRecordID>48935665</EventRecordID>
    <Correlation />
    <Execution ProcessID="604" ThreadID="10492" />
    <Channel>Security</Channel>
    <Computer>MyDomainController.mydomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="TargetUserName">User that keeps getting locked out</Data>
    <Data Name="Workstation">My ISA Server</Data>
    <Data Name="Status">0xc000006a</Data>
  </EventData>
</Event>



The "Source Workstation" is the name of my ISA server, which makes me think maybe it is somthing on the user's PC trying to authenticate with the ISA server.
0
Comment
Question by:carbonbase
10 Comments
 
LVL 6

Assisted Solution

by:LHT_ST
LHT_ST earned 25 total points
ID: 34102916
double check it is coming from the users PC - could be this users account on another PC. shut down the PC close to one of the indicated times and see if it still locks out - or check overnight.

could be a service/application that has been configured with the users login details (which im guessing they have since changed as its locking out)
0
 
LVL 2

Accepted Solution

by:
aimcitp earned 50 total points
ID: 34103118
LHT_ST is correct. Check the user and see if they have any connections to the ISA open.
 
The error message does not provide the smoking gun but does point you in the right direction.
C:\Err>err 0xc000006a
# for hex 0xc000006a / decimal -1073741718 :
  STATUS_WRONG_PASSWORD                                         ntstatus.h
# When trying to update a password, this return status
# indicates that the value provided as the current password
# is not correct.
# 1 matches found for "0xc000006a"
0
 
LVL 1

Assisted Solution

by:MPower32
MPower32 earned 50 total points
ID: 34103129
Enable Netlogon Logging on the PDC and the authenticating DC for the user. Once done using Account lockout tool NLParse.exe traverse the Netlogon Log. We could also require to enable Netlogon Log on other DCs if the bad logon attempt is transitive.Select 0xC000006A and 0xC0000234 in NLParse.exe. Check the machine from where the bad logon attempts are coming. Once the machine is identified check for the following causes on the machine:

1.Programs
2.Service accounts
3.Bad Password Threshold is set too low
4.User logging on to multiple computers
5.Stored user names and passwords retain redundant credentials
6.Scheduled tasks
7.Persistent drive mappings
8.Active Directory replication
9.Disconnected Terminal Server sessions
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 25 total points
ID: 34103215
below tool has helped many to solve the issue.

http://www.netwrix.com/account_lockout_examiner.html

it can be mapped drive where user credentials are used & password is changed on other system.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 25 total points
ID: 34103835
Finding root cause of Account lockouts
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/A_532-Finding-root-cause-of-Account-lockouts.html

Summary of some of the tools/steps you can use to find the root cause.....
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
ID: 34105578
Who is the user - what is he within the organisation? An Admin?
The error message states that the SOURCE is the ISA Server - are there any boxes in your dmz that couyld have the users credentials used as a service account? What user traffic passes through the ISA inbound?
Has the user changed his password recently?
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 25 total points
ID: 34106247
sounds like  Conficker worm.

scan you network by using this tool : http://www.mcafee.com/us/enterprise/confickertest.html
0
 

Author Closing Comment

by:carbonbase
ID: 34111923
Turns out the problem was the user's active sync mobile phone connection to our exchange server, our active sync traffic passes through our ISA server before it hits our Exchange server.

I have awarded some points as all your answers seemed helpful in troubleshooting account lockout.  Thanks.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34113092
Thanks
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34117494
Glad youre fixed.....
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This script can help you clean up your user profile database by comparing profiles to Active Directory users in a particular OU, and removing the profiles that don't match.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question