Account Lockout in Server 2003 coming from Server 2008 Machine
I too am experiencing a persistent account lockout issue on a user ... me! I've read literally dozens of articles, here & elsewhere, and can't seem to get it resolved. Would welcome any help possible. So, here's where I'm at and what I've done so far:
* Downloaded Account Lockout and Management Tools
* Installed on -> "Server-DC"
-> Server-DC is a Windows Server 2003
* Identified the guilty system -> "Machine-BadSender"
-> Machine-BadSender is a Windows Server 2008 R2
* Ran per the Readme.txt instructions
1)Copy alockout.dll to system32 directory on machine sending bad credentials.
2)Run the appinit.reg script to add the dll to the Appinit_DLL key.
3)Restart machine
4) wait for account to lockout on that machine
* The output (Alockout.LOG) will be created in the winnt\debug (Windows\debug) directory
-> note: this is NOT getting created, fyi
==========================
* On the Server-DC, receiving the following events of note in the logs
Security Logs -> 680, 675, 539
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 3/28/2012
Time: 10:23:54 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER-DC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: userid
Source Workstation: MACHINE_BADSENDER
Error Code: 0xC0000234
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/28/2012
Time: 10:23:54 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER-DC
Description:
Pre-authentication failed:
User Name: userid
User ID: domain\userid
Service Name: krbtgt/domain
Pre-Authentication Type: 0x0
Failure Code: 0x12
Client Address: 192.168.10.139
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 3/28/2012
Time: 10:23:54 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER-DC
Description:
Logon Failure:
Reason: Account locked out
User Name: userid
Domain: domain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MACHINE-BADSENDER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.10.139
Source Port: 59404
--------------------------
Additionally, the following are received in the System Logs -> 12294, 3,
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12294
Date: 3/28/2012
Time: 10:26:55 AM
User: DOMAIN\userid
Computer: SERVER-DC
Description:
The SAM database was unable to lockout the account of userid due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
Data:
0000: a5 02 00 c0 ¥..À
--------------------------
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 3/28/2012
Time: 10:15:47 AM
User: N/A
Computer: SERVER-DC
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 14:15:47.0000 3/28/2012 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN.LOCAL
Server Name: host/server-dc.domain.loca
Target Name: host/server-dc.domain.loca
Error Text:
File: 9
Line: b22
Error Data is in record data.
Data:
0000: 03a11530 a2030102 bb0c040e 00c00000
0010: 03000000 000000
--------------------------
I have searched the following resources and can't seem to find THE resolution:
* Experts Exchange
* EventID.net
* Microsoft Forums
note: of course it's certainly possible I have missed one and/or missed a step along the way
It seems I've been able to identify the guilty party, but, can't nail down the service/issue that's causing it. It should be noted the following as well:
* When I shut down the computer MACHINE-BADSENDER, I can successfully access the network with my userid.
Any help would be greatly appreciated, thanks.
* Downloaded Account Lockout and Management Tools
* Installed on -> "Server-DC"
-> Server-DC is a Windows Server 2003
* Identified the guilty system -> "Machine-BadSender"
-> Machine-BadSender is a Windows Server 2008 R2
* Ran per the Readme.txt instructions
1)Copy alockout.dll to system32 directory on machine sending bad credentials.
2)Run the appinit.reg script to add the dll to the Appinit_DLL key.
3)Restart machine
4) wait for account to lockout on that machine
* The output (Alockout.LOG) will be created in the winnt\debug (Windows\debug) directory
-> note: this is NOT getting created, fyi
==========================
* On the Server-DC, receiving the following events of note in the logs
Security Logs -> 680, 675, 539
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 3/28/2012
Time: 10:23:54 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER-DC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_P
Logon account: userid
Source Workstation: MACHINE_BADSENDER
Error Code: 0xC0000234
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 3/28/2012
Time: 10:23:54 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER-DC
Description:
Pre-authentication failed:
User Name: userid
User ID: domain\userid
Service Name: krbtgt/domain
Pre-Authentication Type: 0x0
Failure Code: 0x12
Client Address: 192.168.10.139
--------------------------
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 3/28/2012
Time: 10:23:54 AM
User: NT AUTHORITY\SYSTEM
Computer: SERVER-DC
Description:
Logon Failure:
Reason: Account locked out
User Name: userid
Domain: domain
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: MACHINE-BADSENDER
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.10.139
Source Port: 59404
--------------------------
Additionally, the following are received in the System Logs -> 12294, 3,
Event Type: Error
Event Source: SAM
Event Category: None
Event ID: 12294
Date: 3/28/2012
Time: 10:26:55 AM
User: DOMAIN\userid
Computer: SERVER-DC
Description:
The SAM database was unable to lockout the account of userid due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.
Data:
0000: a5 02 00 c0 ¥..À
--------------------------
Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 3/28/2012
Time: 10:15:47 AM
User: N/A
Computer: SERVER-DC
Description:
A Kerberos Error Message was received:
on logon session
Client Time:
Server Time: 14:15:47.0000 3/28/2012 Z
Error Code: 0xd KDC_ERR_BADOPTION
Extended Error: 0xc00000bb KLIN(0)
Client Realm:
Client Name:
Server Realm: DOMAIN.LOCAL
Server Name: host/server-dc.domain.loca
Target Name: host/server-dc.domain.loca
Error Text:
File: 9
Line: b22
Error Data is in record data.
Data:
0000: 03a11530 a2030102 bb0c040e 00c00000
0010: 03000000 000000
--------------------------
I have searched the following resources and can't seem to find THE resolution:
* Experts Exchange
* EventID.net
* Microsoft Forums
note: of course it's certainly possible I have missed one and/or missed a step along the way
It seems I've been able to identify the guilty party, but, can't nail down the service/issue that's causing it. It should be noted the following as well:
* When I shut down the computer MACHINE-BADSENDER, I can successfully access the network with my userid.
Any help would be greatly appreciated, thanks.
Follow the below steps for account lockout issue:
Note: Do the below steps from PDC
Step 1:
dsquery user –name username
Output - "CN=testuser,OU=Test,DC=te
Step 2:
Repadmin /showmeta “user DN”
Repadmin /showmeta "CN=testuser,OU=Test,DC=te
use below command to filter lockout:
Repadmin /showmeta "CN=testuser,OU=Test,DC=te
note the server name were the lockout pointing to..
Step 3:
Dumpel -f c:\lockout.txt -s DC01 -l security -m security -e 644 642 529 539 680
after the command completed
check the output file for the username
it denotes the system or server from were the account got locked.
Additionally you can also use Microsoft ALTools to troubleshoot account lockouts
Regards,
Prem
Note: Do the below steps from PDC
Step 1:
dsquery user –name username
Output - "CN=testuser,OU=Test,DC=te
Step 2:
Repadmin /showmeta “user DN”
Repadmin /showmeta "CN=testuser,OU=Test,DC=te
use below command to filter lockout:
Repadmin /showmeta "CN=testuser,OU=Test,DC=te
note the server name were the lockout pointing to..
Step 3:
Dumpel -f c:\lockout.txt -s DC01 -l security -m security -e 644 642 529 539 680
after the command completed
check the output file for the username
it denotes the system or server from were the account got locked.
Additionally you can also use Microsoft ALTools to troubleshoot account lockouts
Regards,
Prem
ASKER
I will try this now, thanks.
ASKER
Having trouble running some of these commands, but, I did use the Microsoft ALTools and determined the system that was causing the account lockouts (Machine-BadSender) and the DC locally locking out (SERVER-DC).
Note:
Ran Step 1 but it didn't show any output, should it have
Can't seem to get the syntax correct on Step 2
Thanks for the input though.
Note:
Ran Step 1 but it didn't show any output, should it have
Can't seem to get the syntax correct on Step 2
Thanks for the input though.
ASKER
Geodash, I didn't see your post, will take a look at your recommendation. I have manually chekced the services, but, must be missing something.
Thanks.
Thanks.
It is a great program and may help you!
ASKER
I installed and ran the Komodo Labs program, yes it's very nice - thanks for the reference.
Per the Services listed in the program, none were associated with the account that's currently locked out.
Per the Services listed in the program, none were associated with the account that's currently locked out.
Why not try removing and re-adding the "Machine-BadSender" from the domain.
ASKER
Todar, I think I will give that a try, thanks.
ASKER
I did remove the machine from the domain and then added back, no change in the Account Lockout status. Any other ideas how to narrow this down?
Thanks.
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I solved the problem, thus, it's the correct answer.
http://www.komodolabs.com/
Download the free version