Account Lockout in Server 2003 coming from Server 2008 Machine

Posted on 2012-03-28
Last Modified: 2012-07-15
I too am experiencing a persistent account lockout issue on a user ... me!  I've read literally dozens of articles, here & elsewhere, and can't seem to get it resolved.  Would welcome any help possible.  So, here's where I'm at and what I've done so far:

* Downloaded Account Lockout and Management Tools
* Installed on -> "Server-DC"
   -> Server-DC is a Windows Server 2003
* Identified the guilty system -> "Machine-BadSender"
   -> Machine-BadSender is a Windows Server 2008 R2
* Ran per the Readme.txt instructions
   1)Copy alockout.dll to system32 directory on machine sending bad credentials.
   2)Run the appinit.reg script to add the dll to the Appinit_DLL key.
   3)Restart machine
   4) wait for account to lockout on that machine
* The output (Alockout.LOG) will be created in the winnt\debug (Windows\debug) directory
   -> note: this is NOT getting created, fyi
* On the Server-DC, receiving the following events of note in the logs
   Security Logs -> 680, 675, 539
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
 Logon account:      userid
 Source Workstation:      MACHINE_BADSENDER
 Error Code:      0xC0000234
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Pre-authentication failed:
       User Name:      userid
       User ID:            domain\userid
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x0
       Failure Code:      0x12
       Client Address:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Logon Failure:
       Reason:            Account locked out
       User Name:      userid
       Domain:      domain
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      MACHINE-BADSENDER
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:
       Source Port:      59404
Additionally, the following are received in the System Logs -> 12294, 3,

Event Type:      Error
Event Source:      SAM
Event Category:      None
Event ID:      12294
Date:            3/28/2012
Time:            10:26:55 AM
User:            DOMAIN\userid
Computer:      SERVER-DC
The SAM database was unable to lockout the account of userid due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

0000: a5 02 00 c0               ¥..À    
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      3
Date:            3/28/2012
Time:            10:15:47 AM
User:            N/A
Computer:      SERVER-DC
A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 14:15:47.0000 3/28/2012 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: DOMAIN.LOCAL
 Server Name: host/server-dc.domain.local
 Target Name: host/server-dc.domain.local@DOMAIN.LOCAL
 Error Text:
 File: 9
 Line: b22
 Error Data is in record data.

0000: 03a11530 a2030102 bb0c040e 00c00000
0010: 03000000 000000

I have searched the following resources and can't seem to find THE resolution:
 * Experts Exchange
 * Microsoft Forums
note: of course it's certainly possible I have missed one and/or missed a step along the way

It seems I've been able to identify the guilty party, but, can't nail down the service/issue that's causing it.  It should be noted the following as well:
  * When I shut down the computer MACHINE-BADSENDER, I can successfully access the network with my userid.

Any help would be greatly appreciated, thanks.
Question by:pridenetadmin
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 37777035
How many machines on your domain? I have used Newt before for a similar issue. You can query the first 25 machines on the domain for free by IP. Make sure the machine in question is in the list. Do a complete query, then look at all of the services by searching your your username. See if this helps...

Download the free version
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 37777047
Follow the below steps for account lockout issue:

Note: Do the below steps from PDC

Step 1:
dsquery user –name username
Output - "CN=testuser,OU=Test,DC=test,DC=com"

Step 2:
Repadmin /showmeta “user DN”
Repadmin /showmeta "CN=testuser,OU=Test,DC=test,DC=com"

use below command to filter lockout:
Repadmin /showmeta "CN=testuser,OU=Test,DC=test,DC=com"  | find /i "lockout"

note the server name were the lockout pointing to..

Step 3:
Dumpel -f c:\lockout.txt -s DC01 -l security -m security -e 644 642 529 539 680

after the command completed
check the output file for the username

it denotes the system or server from were the account got locked.

Additionally you can also use Microsoft ALTools to troubleshoot account lockouts


Author Comment

ID: 37777106
I will try this now, thanks.
Online Training Solution

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.


Author Comment

ID: 37777169
Having trouble running some of these commands, but, I did use the Microsoft ALTools and determined the system that was causing the account lockouts (Machine-BadSender) and the DC locally locking out (SERVER-DC).

Ran Step 1 but it didn't show any output, should it have
Can't seem to get the syntax correct on Step 2

Thanks for the input though.

Author Comment

ID: 37777231
Geodash, I didn't see your post, will take a look at your recommendation.  I have manually chekced the services, but, must be missing something.  


Expert Comment

ID: 37777250
It is a great program and may help you!

Author Comment

ID: 37777320
I installed and ran the Komodo Labs program, yes it's very nice - thanks for the reference.

Per the Services listed in the program, none were associated with the account that's currently locked out.

Expert Comment

by:larry urban
ID: 37778045
Why not try removing and re-adding the "Machine-BadSender" from the domain.

Author Comment

ID: 37778426
Todar, I think I will give that a try, thanks.

Author Comment

ID: 37812229
I did remove the machine from the domain and then added back, no change in the Account Lockout status.  Any other ideas how to narrow this down?


Accepted Solution

pridenetadmin earned 0 total points
ID: 38171200
Determined the program causing the issue.  When shutting down this program account was no longer locked out.  Believe there was a cached credential issue from initial install, but, couldn't determine specifics.  Ended up reinstalling the program and using a system account (and documenting).  Thanks for all the help, educational exercise regardless.

Author Closing Comment

ID: 38187114
I solved the problem, thus, it's the correct answer.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question