Solved

account locking out

Posted on 2010-11-10
10
3,627 Views
Last Modified: 2012-05-10
One of my user accounts keeps getting locked out, at 03 and 33 minutes past the hour a bad password attempt is registered with the domain controller meaning that after 3 bad passwords or every 1.5 hours his account gets locked out.

I have checked user's PC but can't find anything set to run every half hour.  

Here is the event that gets logged on the Domain Controller after each failed logon attempt is generated:



Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/10/2010 10:03:10 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MyDomainController.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      User that keeps getting locked out
Source Workstation:      My ISA server
Error Code:      0xc000006a
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2010-11-10T10:03:10.058Z" />
    <EventRecordID>48935665</EventRecordID>
    <Correlation />
    <Execution ProcessID="604" ThreadID="10492" />
    <Channel>Security</Channel>
    <Computer>MyDomainController.mydomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="TargetUserName">User that keeps getting locked out</Data>
    <Data Name="Workstation">My ISA Server</Data>
    <Data Name="Status">0xc000006a</Data>
  </EventData>
</Event>



The "Source Workstation" is the name of my ISA server, which makes me think maybe it is somthing on the user's PC trying to authenticate with the ISA server.
0
Comment
Question by:carbonbase
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 6

Assisted Solution

by:LHT_ST
LHT_ST earned 25 total points
ID: 34102916
double check it is coming from the users PC - could be this users account on another PC. shut down the PC close to one of the indicated times and see if it still locks out - or check overnight.

could be a service/application that has been configured with the users login details (which im guessing they have since changed as its locking out)
0
 
LVL 2

Accepted Solution

by:
aimcitp earned 50 total points
ID: 34103118
LHT_ST is correct. Check the user and see if they have any connections to the ISA open.
 
The error message does not provide the smoking gun but does point you in the right direction.
C:\Err>err 0xc000006a
# for hex 0xc000006a / decimal -1073741718 :
  STATUS_WRONG_PASSWORD                                         ntstatus.h
# When trying to update a password, this return status
# indicates that the value provided as the current password
# is not correct.
# 1 matches found for "0xc000006a"
0
 
LVL 1

Assisted Solution

by:MPower32
MPower32 earned 50 total points
ID: 34103129
Enable Netlogon Logging on the PDC and the authenticating DC for the user. Once done using Account lockout tool NLParse.exe traverse the Netlogon Log. We could also require to enable Netlogon Log on other DCs if the bad logon attempt is transitive.Select 0xC000006A and 0xC0000234 in NLParse.exe. Check the machine from where the bad logon attempts are coming. Once the machine is identified check for the following causes on the machine:

1.Programs
2.Service accounts
3.Bad Password Threshold is set too low
4.User logging on to multiple computers
5.Stored user names and passwords retain redundant credentials
6.Scheduled tasks
7.Persistent drive mappings
8.Active Directory replication
9.Disconnected Terminal Server sessions
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Assisted Solution

by:Awinish
Awinish earned 25 total points
ID: 34103215
below tool has helped many to solve the issue.

http://www.netwrix.com/account_lockout_examiner.html

it can be mapped drive where user credentials are used & password is changed on other system.
0
 
LVL 66

Assisted Solution

by:johnb6767
johnb6767 earned 25 total points
ID: 34103835
Finding root cause of Account lockouts
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/A_532-Finding-root-cause-of-Account-lockouts.html

Summary of some of the tools/steps you can use to find the root cause.....
0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 50 total points
ID: 34105578
Who is the user - what is he within the organisation? An Admin?
The error message states that the SOURCE is the ISA Server - are there any boxes in your dmz that couyld have the users credentials used as a service account? What user traffic passes through the ISA inbound?
Has the user changed his password recently?
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 25 total points
ID: 34106247
sounds like  Conficker worm.

scan you network by using this tool : http://www.mcafee.com/us/enterprise/confickertest.html
0
 

Author Closing Comment

by:carbonbase
ID: 34111923
Turns out the problem was the user's active sync mobile phone connection to our exchange server, our active sync traffic passes through our ISA server before it hits our Exchange server.

I have awarded some points as all your answers seemed helpful in troubleshooting account lockout.  Thanks.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34113092
Thanks
0
 
LVL 66

Expert Comment

by:johnb6767
ID: 34117494
Glad youre fixed.....
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows the method of using the Resultant Set of Policy Tool to locate Group Policy that applies a particular setting.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

756 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question