Account Lockout in Server 2003 coming from Server 2008 Machine

I too am experiencing a persistent account lockout issue on a user ... me!  I've read literally dozens of articles, here & elsewhere, and can't seem to get it resolved.  Would welcome any help possible.  So, here's where I'm at and what I've done so far:

* Downloaded Account Lockout and Management Tools
* Installed on -> "Server-DC"
   -> Server-DC is a Windows Server 2003
* Identified the guilty system -> "Machine-BadSender"
   -> Machine-BadSender is a Windows Server 2008 R2
* Ran per the Readme.txt instructions
   1)Copy alockout.dll to system32 directory on machine sending bad credentials.
   2)Run the appinit.reg script to add the dll to the Appinit_DLL key.
   3)Restart machine
   4) wait for account to lockout on that machine
* The output (Alockout.LOG) will be created in the winnt\debug (Windows\debug) directory
   -> note: this is NOT getting created, fyi
===================================================================
* On the Server-DC, receiving the following events of note in the logs
   Security Logs -> 680, 675, 539
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      userid
 Source Workstation:      MACHINE_BADSENDER
 Error Code:      0xC0000234
----------------------------------------------------------------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Description:
Pre-authentication failed:
       User Name:      userid
       User ID:            domain\userid
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x0
       Failure Code:      0x12
       Client Address:      192.168.10.139
-------------------------------------------------------------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      userid
       Domain:      domain
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      MACHINE-BADSENDER
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.10.139
       Source Port:      59404
--------------------------------------------------------------------------------------------------------------------------------
Additionally, the following are received in the System Logs -> 12294, 3,

Event Type:      Error
Event Source:      SAM
Event Category:      None
Event ID:      12294
Date:            3/28/2012
Time:            10:26:55 AM
User:            DOMAIN\userid
Computer:      SERVER-DC
Description:
The SAM database was unable to lockout the account of userid due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Data:
0000: a5 02 00 c0               ¥..À    
--------------------------------------------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      3
Date:            3/28/2012
Time:            10:15:47 AM
User:            N/A
Computer:      SERVER-DC
Description:
A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 14:15:47.0000 3/28/2012 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: DOMAIN.LOCAL
 Server Name: host/server-dc.domain.local
 Target Name: host/server-dc.domain.local@DOMAIN.LOCAL
 Error Text:
 File: 9
 Line: b22
 Error Data is in record data.

Data:
0000: 03a11530 a2030102 bb0c040e 00c00000
0010: 03000000 000000
--------------------------------------------------------------------------------------------------------------------

I have searched the following resources and can't seem to find THE resolution:
 * Experts Exchange
 * EventID.net
 * Microsoft Forums
note: of course it's certainly possible I have missed one and/or missed a step along the way

It seems I've been able to identify the guilty party, but, can't nail down the service/issue that's causing it.  It should be noted the following as well:
  * When I shut down the computer MACHINE-BADSENDER, I can successfully access the network with my userid.

Any help would be greatly appreciated, thanks.
pridenetadminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

GeodashCommented:
How many machines on your domain? I have used Newt before for a similar issue. You can query the first 25 machines on the domain for free by IP. Make sure the machine in question is in the list. Do a complete query, then look at all of the services by searching your your username. See if this helps...


http://www.komodolabs.com/

Download the free version
0
Premkumar YogeswaranSr. Analyst - System AdministratorCommented:
Follow the below steps for account lockout issue:

Note: Do the below steps from PDC

Step 1:
dsquery user –name username
Output - "CN=testuser,OU=Test,DC=test,DC=com"

Step 2:
Repadmin /showmeta “user DN”
Repadmin /showmeta "CN=testuser,OU=Test,DC=test,DC=com"

use below command to filter lockout:
Repadmin /showmeta "CN=testuser,OU=Test,DC=test,DC=com"  | find /i "lockout"

note the server name were the lockout pointing to..

Step 3:
Dumpel -f c:\lockout.txt -s DC01 -l security -m security -e 644 642 529 539 680

after the command completed
check the output file for the username

it denotes the system or server from were the account got locked.

Additionally you can also use Microsoft ALTools to troubleshoot account lockouts

Regards,
Prem
0
pridenetadminAuthor Commented:
I will try this now, thanks.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

pridenetadminAuthor Commented:
Having trouble running some of these commands, but, I did use the Microsoft ALTools and determined the system that was causing the account lockouts (Machine-BadSender) and the DC locally locking out (SERVER-DC).

Note:
Ran Step 1 but it didn't show any output, should it have
Can't seem to get the syntax correct on Step 2

Thanks for the input though.
0
pridenetadminAuthor Commented:
Geodash, I didn't see your post, will take a look at your recommendation.  I have manually chekced the services, but, must be missing something.  

Thanks.
0
GeodashCommented:
It is a great program and may help you!
0
pridenetadminAuthor Commented:
I installed and ran the Komodo Labs program, yes it's very nice - thanks for the reference.

Per the Services listed in the program, none were associated with the account that's currently locked out.
0
larry urbanDevOps EngineerCommented:
Why not try removing and re-adding the "Machine-BadSender" from the domain.
0
pridenetadminAuthor Commented:
Todar, I think I will give that a try, thanks.
0
pridenetadminAuthor Commented:
I did remove the machine from the domain and then added back, no change in the Account Lockout status.  Any other ideas how to narrow this down?

Thanks.
0
pridenetadminAuthor Commented:
Determined the program causing the issue.  When shutting down this program account was no longer locked out.  Believe there was a cached credential issue from initial install, but, couldn't determine specifics.  Ended up reinstalling the program and using a system account (and documenting).  Thanks for all the help, educational exercise regardless.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pridenetadminAuthor Commented:
I solved the problem, thus, it's the correct answer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.