account locking out

One of my user accounts keeps getting locked out, at 03 and 33 minutes past the hour a bad password attempt is registered with the domain controller meaning that after 3 bad passwords or every 1.5 hours his account gets locked out.

I have checked user's PC but can't find anything set to run every half hour.  

Here is the event that gets logged on the Domain Controller after each failed logon attempt is generated:



Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/10/2010 10:03:10 AM
Event ID:      4776
Task Category: Credential Validation
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      MyDomainController.mydomain.com
Description:
The domain controller attempted to validate the credentials for an account.

Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account:      User that keeps getting locked out
Source Workstation:      My ISA server
Error Code:      0xc000006a
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4776</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14336</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2010-11-10T10:03:10.058Z" />
    <EventRecordID>48935665</EventRecordID>
    <Correlation />
    <Execution ProcessID="604" ThreadID="10492" />
    <Channel>Security</Channel>
    <Computer>MyDomainController.mydomain.com</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="TargetUserName">User that keeps getting locked out</Data>
    <Data Name="Workstation">My ISA Server</Data>
    <Data Name="Status">0xc000006a</Data>
  </EventData>
</Event>



The "Source Workstation" is the name of my ISA server, which makes me think maybe it is somthing on the user's PC trying to authenticate with the ISA server.
carbonbaseAsked:
Who is Participating?
 
aimcitpConnect With a Mentor Commented:
LHT_ST is correct. Check the user and see if they have any connections to the ISA open.
 
The error message does not provide the smoking gun but does point you in the right direction.
C:\Err>err 0xc000006a
# for hex 0xc000006a / decimal -1073741718 :
  STATUS_WRONG_PASSWORD                                         ntstatus.h
# When trying to update a password, this return status
# indicates that the value provided as the current password
# is not correct.
# 1 matches found for "0xc000006a"
0
 
LHT_STConnect With a Mentor Commented:
double check it is coming from the users PC - could be this users account on another PC. shut down the PC close to one of the indicated times and see if it still locks out - or check overnight.

could be a service/application that has been configured with the users login details (which im guessing they have since changed as its locking out)
0
 
MPower32Connect With a Mentor Commented:
Enable Netlogon Logging on the PDC and the authenticating DC for the user. Once done using Account lockout tool NLParse.exe traverse the Netlogon Log. We could also require to enable Netlogon Log on other DCs if the bad logon attempt is transitive.Select 0xC000006A and 0xC0000234 in NLParse.exe. Check the machine from where the bad logon attempts are coming. Once the machine is identified check for the following causes on the machine:

1.Programs
2.Service accounts
3.Bad Password Threshold is set too low
4.User logging on to multiple computers
5.Stored user names and passwords retain redundant credentials
6.Scheduled tasks
7.Persistent drive mappings
8.Active Directory replication
9.Disconnected Terminal Server sessions
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
AwinishConnect With a Mentor Commented:
below tool has helped many to solve the issue.

http://www.netwrix.com/account_lockout_examiner.html

it can be mapped drive where user credentials are used & password is changed on other system.
0
 
johnb6767Connect With a Mentor Commented:
Finding root cause of Account lockouts
http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/A_532-Finding-root-cause-of-Account-lockouts.html

Summary of some of the tools/steps you can use to find the root cause.....
0
 
Keith AlabasterConnect With a Mentor Enterprise ArchitectCommented:
Who is the user - what is he within the organisation? An Admin?
The error message states that the SOURCE is the ISA Server - are there any boxes in your dmz that couyld have the users credentials used as a service account? What user traffic passes through the ISA inbound?
Has the user changed his password recently?
0
 
Suliman Abu KharroubConnect With a Mentor IT Consultant Commented:
sounds like  Conficker worm.

scan you network by using this tool : http://www.mcafee.com/us/enterprise/confickertest.html
0
 
carbonbaseAuthor Commented:
Turns out the problem was the user's active sync mobile phone connection to our exchange server, our active sync traffic passes through our ISA server before it hits our Exchange server.

I have awarded some points as all your answers seemed helpful in troubleshooting account lockout.  Thanks.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks
0
 
johnb6767Commented:
Glad youre fixed.....
0
All Courses

From novice to tech pro — start learning today.