spacoit
asked on
User accounts being locked out. event id 675
I have multiple users that are being locked out of their accounts. Some of them are being locked out very quickly.
I have a 2003 domain with a Vista, Windows 7, and a few XP machines left. All my DC's are 2003, I have one at each of 6 locations. Users from 4 locations have reported being locked out. There are about 1400 users on the domain.
This is the error I am receiving:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/12/2012
Time: 8:45:42 AM
User: NT AUTHORITY\SYSTEM
Computer: ADMDC03
Description:
Pre-authentication failed:
User Name: bblake
User ID: DOMAIN\bblake
Service Name: krbtgt/mydomain.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.0.10.76
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
I have a 2003 domain with a Vista, Windows 7, and a few XP machines left. All my DC's are 2003, I have one at each of 6 locations. Users from 4 locations have reported being locked out. There are about 1400 users on the domain.
This is the error I am receiving:
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/12/2012
Time: 8:45:42 AM
User: NT AUTHORITY\SYSTEM
Computer: ADMDC03
Description:
Pre-authentication failed:
User Name: bblake
User ID: DOMAIN\bblake
Service Name: krbtgt/mydomain.LOCAL
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 10.0.10.76
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
Thanks I will take a look at the link you sent.
This issue has been happening for a couple months now. First it was just one or two users, but each week it is happening to more.
Some of the users do log on to multiple machines, but some do not.
This issue has been happening for a couple months now. First it was just one or two users, but each week it is happening to more.
Some of the users do log on to multiple machines, but some do not.
Even if it has been happening for a while you could still have a timing issue if some of the workstations are not getting time updates from the PDC.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This is the solution that worked for me.
"TGT failures are usually due to a bad password or time synchronization between workstation and domain controller."
If this just started today you could have some servers or workstations that didn't update with DST.
Failure code 0x18 (24 in decimal) most likely means the user entered their password wrong. It could also be they are logged into a second location and have changed their password, this is the biggest reason I see for account lockouts on our network. I have also seen software that installs a windows service as the user instead of the local system causing authentication failures after a password change.