Solved

Tracking Source of Account Lockout

Posted on 2011-03-21
7
736 Views
Last Modified: 2012-05-11
Hi folks!

Got about 120 Windows XP Professional SP3 workstations running in a Windows Server 2003 R2 x64-based Active Directory environment.

A few days ago, started having a particular user account -- an administrator account -- that is getting repeatedly locked out. Unlock it, wait a few minutes, locked out again.

My best guesses are that either someone is trying a brute force attack to compromise it (unlikely) or that there's a scheduled task laying around the network somewhere that's repeatedly trying to access it using an old password (likely).

Can someone suggest a way to track where the failed login attempts, and ultimately lockouts, are coming from?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
7 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 250 total points
ID: 35184653
Check your Security Event Logs and filter by Failure Audit - that should show the invalid login attempts.

Look down those entries and look at the source IP and the Processor ID being used.  Then fire up Task Manager (CTRL + SHIFT + ESC) and on the Processes Tab, add the PID column and then look for the Process ID.

If it is System - do you have Exchange on your server?

Check your firewall - do you have RDP (TCP Port 3389) open and forwarded to the server from all Remote IP Addresses?
0
 
LVL 13

Assisted Solution

by:BCipollone
BCipollone earned 250 total points
ID: 35184686
Please read this to help solve your issue: http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35184696
Take a look at this blog entry

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

They have links to the account lockout and management tools.  The network traces can also be useful.  I'm with you it is most likely going to be a scheduled task or service that is using an old password.

Thanks

Mike
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 

Author Comment

by:Ithizar
ID: 35190833
Hmm.

I've checked the security logs on our domain controller, and what I'm seeing are dozens and dozens of entries for this user name where it says "pre-authentication failed" and it lists the IP address as the loopback address (127.0.0.1). Those are the only errors involving this user name that I can find. But there are tons of them, occurring every few seconds.

I'm posting the complete error details below.

Any thoughts?

Thanks,
Ithizar

Error Details:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/22/2011
Time:            11:03:57 AM
User:            NT AUTHORITY\SYSTEM
Computer:      CHTNSDC01
Description:
Pre-authentication failed:
       User Name:      tpinkerton
       User ID:            CHTN\tpinkerton
       Service Name:      krbtgt/CHTN
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      127.0.0.1
0
 

Accepted Solution

by:
Ithizar earned 0 total points
ID: 35224384
Found the answer! And, boy, was it obscure.

In the advanced DHCP properties of the server in question, it was set to authenticate using that user name. And apparently failing. I updated the credentials and the problem went away.

Now, why that had worked forever and then suddenly stopped working a few days before I posted my question, I have no idea. But there's the solution.

Thanks to everyone for your help!
0
 

Author Closing Comment

by:Ithizar
ID: 35275420
Accepting my own solution, but awarding points to those who helped point me toward the solution.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 35281682
Probably a password policy in place caused the problem. Do your passwords expire? - Anyway glad you found the problem.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Azure Expertise required 1 28
Power shell 4 29
Powershell query for OU membership 5 40
New-Aduser from SQL 27 20
For both online and offline retail, the cross-channel business is the most recent pattern in the B2C trade space.
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question