Active Directory User Id frequently locked out
We have a user on our domain who is continually locked out - around 10 times per day. Originally thought this was due to a problem on her PC so we replaced the PC - no joy. The event logs on the DCs only show the following at the time of the lockout:
--------------------------
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_P
Logon Account: XXXX
Source Workstation:
Error Code: 0xc000006a
--------------------------
As you can see, the source workstation entry is empty - this is always the case. How can I find the source of the lockout?
thanks
Martin
--------------------------
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_P
Logon Account: XXXX
Source Workstation:
Error Code: 0xc000006a
--------------------------
As you can see, the source workstation entry is empty - this is always the case. How can I find the source of the lockout?
thanks
Martin
Ajay Sharma
which version of server of you have ? is it SBS if yes then it could be issue of users CAL so please make sure that this user do have a proper cal installed.
ASKER
Sorry - should have mentioned, it's Server 2008 R2
please have look ad event viewer and get back with error event id's from there
if you find any there
ASKER
The event viewer on the DC only shows what I mentioned in the initial post.
The exact error indicates that the users username is being used to access a resource BUT with an incorrect password. This is normally when a user has a mapped drive that thay have saved the password for and then changed their password somewhere.
OR
There is a service setup and running that uses that users details and the user has changed their password.
OR
There is a service setup and running that uses that users details and the user has changed their password.
ASKER
Yes I know this. What I asked is how to find the source machine. Then I can check mappings/services etc.
Posting the entire event details would always be a good place to start with a question, not just a few lines that YOU think will be helpful.
ASKER
Ah I see - apologies. Full details below:
--------------------------
- System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2012-01-30T11:07:04.834457
EventRecordID 133260474
Correlation
- Execution
[ ProcessID] 484
[ ThreadID] 4428
Channel Security
Computer XXXXX.XXX.XXX
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_P
TargetUserName XXXX
Workstation
Status 0xc000006a
--------------------------
- System
- Provider
[ Name] Microsoft-Windows-Security
[ Guid] {54849625-5478-4994-A5BA-3
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2012-01-30T11:07:04.834457
EventRecordID 133260474
Correlation
- Execution
[ ProcessID] 484
[ ThreadID] 4428
Channel Security
Computer XXXXX.XXX.XXX
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_P
TargetUserName XXXX
Workstation
Status 0xc000006a
a) Has the user changed their password recently
and
b) Do they have a smartphone that they have connected via wireless to pickup email or whatever?
A common cause. Especially when computer is blank.
and
b) Do they have a smartphone that they have connected via wireless to pickup email or whatever?
A common cause. Especially when computer is blank.
ASKER
Password hasn't been changed recently - last set in December in an attempt to solve the issue. They don't have a smart phone connected to their email although they use web maill from home.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I used to use EventCombMT you can download it from [ ALTools.exe]
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
please see the picture
go to search>account lockout>then change the event IDs 4625 4740 4771 4768 4776
note that domain admin privilges are needed
Untitled.png
http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
please see the picture
go to search>account lockout>then change the event IDs 4625 4740 4771 4768 4776
note that domain admin privilges are needed
Untitled.png
1.On Domain Controller open Event Viewer and select Security Logs, Right Click and select Filter Current Log
2. In the Filter Current Log Window, select XML tab and select the Check Box that says "Edit Query Manually"
3. Once this Check Box is selected, you will be able to edit the XML tags in the window. Type the following text in that box and hit OK
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(
</Query>
</QueryList>
3. Now you will see only events related to the failed logon attempts for that user on that DC
4. From the Events, you can get the IP address of the client from where the Authentication was requested.Check if any session for the user is active and kill the session Or disconnect the Map drive which has been mapped to that server.
2. In the Filter Current Log Window, select XML tab and select the Check Box that says "Edit Query Manually"
3. Once this Check Box is selected, you will be able to edit the XML tags in the window. Type the following text in that box and hit OK
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*[System[(
</Query>
</QueryList>
3. Now you will see only events related to the failed logon attempts for that user on that DC
4. From the Events, you can get the IP address of the client from where the Authentication was requested.Check if any session for the user is active and kill the session Or disconnect the Map drive which has been mapped to that server.
ASKER
Finally got to the bottom of this for anyone interested. The user had incorrectly configured the WiFi on their personal device to connect to the corporate wifi using domain credentials. So, every time she was on site, it attempted a bad password every 6 minutes till she left site and was out of range.
Annoying........
Annoying........
I love IT lol
I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).
We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.
Fun!
We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.
Fun!