?
Solved

Tracking Source of Account Lockout

Posted on 2011-03-21
7
Medium Priority
?
749 Views
Last Modified: 2012-05-11
Hi folks!

Got about 120 Windows XP Professional SP3 workstations running in a Windows Server 2003 R2 x64-based Active Directory environment.

A few days ago, started having a particular user account -- an administrator account -- that is getting repeatedly locked out. Unlock it, wait a few minutes, locked out again.

My best guesses are that either someone is trying a brute force attack to compromise it (unlikely) or that there's a scheduled task laying around the network somewhere that's repeatedly trying to access it using an old password (likely).

Can someone suggest a way to track where the failed login attempts, and ultimately lockouts, are coming from?

Thanks,
Ithizar
0
Comment
Question by:Ithizar
7 Comments
 
LVL 76

Assisted Solution

by:Alan Hardisty
Alan Hardisty earned 1000 total points
ID: 35184653
Check your Security Event Logs and filter by Failure Audit - that should show the invalid login attempts.

Look down those entries and look at the source IP and the Processor ID being used.  Then fire up Task Manager (CTRL + SHIFT + ESC) and on the Processes Tab, add the PID column and then look for the Process ID.

If it is System - do you have Exchange on your server?

Check your firewall - do you have RDP (TCP Port 3389) open and forwarded to the server from all Remote IP Addresses?
0
 
LVL 13

Assisted Solution

by:BCipollone
BCipollone earned 1000 total points
ID: 35184686
Please read this to help solve your issue: http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 35184696
Take a look at this blog entry

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

They have links to the account lockout and management tools.  The network traces can also be useful.  I'm with you it is most likely going to be a scheduled task or service that is using an old password.

Thanks

Mike
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:Ithizar
ID: 35190833
Hmm.

I've checked the security logs on our domain controller, and what I'm seeing are dozens and dozens of entries for this user name where it says "pre-authentication failed" and it lists the IP address as the loopback address (127.0.0.1). Those are the only errors involving this user name that I can find. But there are tons of them, occurring every few seconds.

I'm posting the complete error details below.

Any thoughts?

Thanks,
Ithizar

Error Details:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/22/2011
Time:            11:03:57 AM
User:            NT AUTHORITY\SYSTEM
Computer:      CHTNSDC01
Description:
Pre-authentication failed:
       User Name:      tpinkerton
       User ID:            CHTN\tpinkerton
       Service Name:      krbtgt/CHTN
       Pre-Authentication Type:      0x2
       Failure Code:      0x12
       Client Address:      127.0.0.1
0
 

Accepted Solution

by:
Ithizar earned 0 total points
ID: 35224384
Found the answer! And, boy, was it obscure.

In the advanced DHCP properties of the server in question, it was set to authenticate using that user name. And apparently failing. I updated the credentials and the problem went away.

Now, why that had worked forever and then suddenly stopped working a few days before I posted my question, I have no idea. But there's the solution.

Thanks to everyone for your help!
0
 

Author Closing Comment

by:Ithizar
ID: 35275420
Accepting my own solution, but awarding points to those who helped point me toward the solution.
0
 
LVL 13

Expert Comment

by:BCipollone
ID: 35281682
Probably a password policy in place caused the problem. Do your passwords expire? - Anyway glad you found the problem.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question