Account lockout issue in Windows 2003 server AD

Hi,

We have windows 2003 server active directory enviornment (With Service Pack 2)

Problem details:
All system accounts are getting locked acutomatically....

Event ID:675
Description:  Pre-authentication failed

Kindly suggest..
AmitmaneAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kruno DžoićSystem EngineerCommented:
change in GroupPolicy locking acc after  3 bad passwords  to 10  
0
Vinchenzo-the-SecondCommented:
You've not changed the passwords on these accounts have you?  Was any updates applied on the DC's before this started to happen?
0
AmitmaneAuthor Commented:
In group policy it is 5 invalid passwords..

We have not changed passoword of those accounts...and not updates applied on DC..
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

AmitmaneAuthor Commented:
Also checked by disabling account lockout policy from Group Policy....but not resolved..
0
Share-ITCommented:
Are the passwords for the service accounts set to expire?

The event you see is triggered when someone uses an incorrect password for a valid account.

If it's ALL service accounts, my guess is something or someone updated a policy that set all users passwords to expire.  
0
Vinchenzo-the-SecondCommented:
You can see what device is triggering the authentication, but you need to search the security log on the DC(s) for event IDs 529, 644, 675, 676, 681.  If you have a number of DC's you can use EventComb to search the logs for you
0
Share-ITCommented:
you will likely need to reset the passwords manually via ADUC.
0
Vinchenzo-the-SecondCommented:
Once you reset the passwords using ADUC you need to also change the password on the service for that account, as it will hold the old password
0
Share-ITCommented:
Unless you set it to the existing password of course. ;)
0
AmitmaneAuthor Commented:
Even if reset the password.....its getting locked after some time and all AD users complaining the same.
0
Vinchenzo-the-SecondCommented:
You need to find where the lock outs are coming from.  You need to search the security log for event IDs  529, 644, 675, 676, 681.  This will tell you the machine that is locking out the account.
0
Share-ITCommented:
Are we talking ALL accounts or just a few here and there?

As had been said, you need to find out what machine is locking it out as it could be a brute force attack.

Do the eventlogs on the DCs reveal any other errors that should be a cause for concern?
0
AmitmaneAuthor Commented:
It is not about particular machin.....all user accounts are getting locked.
0
AmitmaneAuthor Commented:
In event logs...it is generating  event id: 675
0
Vinchenzo-the-SecondCommented:
When you say all accounts is this also normal user accounts?
0
AmitmaneAuthor Commented:
Yes.....
0
AmitmaneAuthor Commented:
is there any widows update which need to applied??
0
Vinchenzo-the-SecondCommented:
Are your DC's and clients up to date with the latest Microsoft patches?
0
Kruno DžoićSystem EngineerCommented:
probably you have worm ( or similar pests ) in your network, check events for login attempts
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Kruno DžoićSystem EngineerCommented:
do you use a VPN,

from some website

 "the VPN username is the same as the Windows account username, but the passwords are different (because the VPN connects to a firewall, not a Windows server), however when accessing network resources Windows seems to be trying the VPN credentials first - because the account name is the same, the password failures cause the Windows account to become locked."
0
AmitmaneAuthor Commented:
Yes...DC and client pc's are updated with latest patches..
0
Vinchenzo-the-SecondCommented:
This may help:
http://forum.kaspersky.com/index.php?showtopic=98887

You may have Net-Worm.Win32.Kido.xx virus. Look at the Microsoft article:
http://support.microsoft.com/?scid=kb%3Ben-us%3B962007&x=14&y=17

0
SeaSenorCommented:
what is the error code? (not event ID)
0
SeaSenorCommented:
or "Failure Code" rather...
0
AmitmaneAuthor Commented:
partially agree
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.