Tracking Source of Account Lockout
Hi folks!
Got about 120 Windows XP Professional SP3 workstations running in a Windows Server 2003 R2 x64-based Active Directory environment.
A few days ago, started having a particular user account -- an administrator account -- that is getting repeatedly locked out. Unlock it, wait a few minutes, locked out again.
My best guesses are that either someone is trying a brute force attack to compromise it (unlikely) or that there's a scheduled task laying around the network somewhere that's repeatedly trying to access it using an old password (likely).
Can someone suggest a way to track where the failed login attempts, and ultimately lockouts, are coming from?
Thanks,
Ithizar
Got about 120 Windows XP Professional SP3 workstations running in a Windows Server 2003 R2 x64-based Active Directory environment.
A few days ago, started having a particular user account -- an administrator account -- that is getting repeatedly locked out. Unlock it, wait a few minutes, locked out again.
My best guesses are that either someone is trying a brute force attack to compromise it (unlikely) or that there's a scheduled task laying around the network somewhere that's repeatedly trying to access it using an old password (likely).
Can someone suggest a way to track where the failed login attempts, and ultimately lockouts, are coming from?
Thanks,
Ithizar
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hmm.
I've checked the security logs on our domain controller, and what I'm seeing are dozens and dozens of entries for this user name where it says "pre-authentication failed" and it lists the IP address as the loopback address (127.0.0.1). Those are the only errors involving this user name that I can find. But there are tons of them, occurring every few seconds.
I'm posting the complete error details below.
Any thoughts?
Thanks,
Ithizar
Error Details:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/22/2011
Time: 11:03:57 AM
User: NT AUTHORITY\SYSTEM
Computer: CHTNSDC01
Description:
Pre-authentication failed:
User Name: tpinkerton
User ID: CHTN\tpinkerton
Service Name: krbtgt/CHTN
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: 127.0.0.1
I've checked the security logs on our domain controller, and what I'm seeing are dozens and dozens of entries for this user name where it says "pre-authentication failed" and it lists the IP address as the loopback address (127.0.0.1). Those are the only errors involving this user name that I can find. But there are tons of them, occurring every few seconds.
I'm posting the complete error details below.
Any thoughts?
Thanks,
Ithizar
Error Details:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/22/2011
Time: 11:03:57 AM
User: NT AUTHORITY\SYSTEM
Computer: CHTNSDC01
Description:
Pre-authentication failed:
User Name: tpinkerton
User ID: CHTN\tpinkerton
Service Name: krbtgt/CHTN
Pre-Authentication Type: 0x2
Failure Code: 0x12
Client Address: 127.0.0.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Accepting my own solution, but awarding points to those who helped point me toward the solution.
Probably a password policy in place caused the problem. Do your passwords expire? - Anyway glad you found the problem.
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
They have links to the account lockout and management tools. The network traces can also be useful. I'm with you it is most likely going to be a scheduled task or service that is using an old password.
Thanks
Mike