User accounts being locked out. event id 675

I have multiple users that are being locked out of their accounts.  Some of them are being locked out very quickly.

I have a 2003 domain with a Vista, Windows 7, and a few XP machines left.  All my DC's are 2003, I have one at each of 6 locations.  Users from 4 locations have reported being locked out.  There are about 1400 users on the domain.

This is the error I am receiving:


Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/12/2012
Time:            8:45:42 AM
User:            NT AUTHORITY\SYSTEM
Computer:      ADMDC03
Description:
Pre-authentication failed:
       User Name:      bblake
       User ID:            DOMAIN\bblake
       Service Name:      krbtgt/mydomain.LOCAL
       Pre-Authentication Type:      0x2
       Failure Code:      0x18
       Client Address:      10.0.10.76


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
spacoitAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
spacoitConnect With a Mentor Author Commented:
Turned out to the user had store her credentials in the MS keymgr.

used "control keymgr.dll" from command prompt to open the key manager.  Deleted her saved settings and all was well.
0
 
rkeith2412Commented:
Have a look at http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675

"TGT failures are usually due to a bad password or time synchronization between workstation and domain controller."

If this just started today you could have some servers or workstations that didn't update with DST.

Failure code 0x18 (24 in decimal) most likely means the user entered their password wrong.  It could also be they are logged into a second location and have changed their password, this is the biggest reason I see for account lockouts on our network.  I have also seen software that installs a windows service as the user instead of the local system causing authentication failures after a password change.
0
 
spacoitAuthor Commented:
Thanks I will take a look at the link you sent.

This issue has been happening for a couple months now.  First it was just one or two users, but each week it is happening to more.

Some of the users do log on to multiple machines, but some do not.
0
 
rkeith2412Commented:
Even if it has been happening for a while you could still have a timing issue if some of the workstations are not getting time updates from the PDC.
0
 
spacoitAuthor Commented:
This is the solution that worked for me.
0
All Courses

From novice to tech pro — start learning today.