Solved

User accounts being locked out.  event id 675

Posted on 2012-03-12
5
669 Views
Last Modified: 2012-04-03
I have multiple users that are being locked out of their accounts.  Some of them are being locked out very quickly.

I have a 2003 domain with a Vista, Windows 7, and a few XP machines left.  All my DC's are 2003, I have one at each of 6 locations.  Users from 4 locations have reported being locked out.  There are about 1400 users on the domain.

This is the error I am receiving:


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/12/2012
Time:            8:45:42 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ADMDC03
Description:
Pre-authentication failed:
       User Name:      bblake
       User ID:            DOMAIN\bblake
       Service Name:      krbtgt/mydomain.LOCAL
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      10.0.10.76


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
Comment
Question by:spacoit
  • 3
  • 2
5 Comments
 
LVL 5

Expert Comment

by:rkeith2412
ID: 37709807
Have a look at http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675

"TGT failures are usually due to a bad password or time synchronization between workstation and domain controller."

If this just started today you could have some servers or workstations that didn't update with DST.

Failure code 0x18 (24 in decimal) most likely means the user entered their password wrong.  It could also be they are logged into a second location and have changed their password, this is the biggest reason I see for account lockouts on our network.  I have also seen software that installs a windows service as the user instead of the local system causing authentication failures after a password change.
0
 

Author Comment

by:spacoit
ID: 37709886
Thanks I will take a look at the link you sent.

This issue has been happening for a couple months now.  First it was just one or two users, but each week it is happening to more.

Some of the users do log on to multiple machines, but some do not.
0
 
LVL 5

Expert Comment

by:rkeith2412
ID: 37709925
Even if it has been happening for a while you could still have a timing issue if some of the workstations are not getting time updates from the PDC.
0
 

Accepted Solution

by:
spacoit earned 0 total points
ID: 37782803
Turned out to the user had store her credentials in the MS keymgr.

used "control keymgr.dll" from command prompt to open the key manager.  Deleted her saved settings and all was well.
0
 

Author Closing Comment

by:spacoit
ID: 37800008
This is the solution that worked for me.
0

Featured Post

What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

Join & Write a Comment

Suggested Solutions

Easy CSR creation in Exchange 2007,2010 and 2013
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now