Solved

Account Lockout in Server 2003 coming from Server 2008 Machine

Posted on 2012-03-28
12
1,158 Views
Last Modified: 2012-07-15
I too am experiencing a persistent account lockout issue on a user ... me!  I've read literally dozens of articles, here & elsewhere, and can't seem to get it resolved.  Would welcome any help possible.  So, here's where I'm at and what I've done so far:

* Downloaded Account Lockout and Management Tools
* Installed on -> "Server-DC"
   -> Server-DC is a Windows Server 2003
* Identified the guilty system -> "Machine-BadSender"
   -> Machine-BadSender is a Windows Server 2008 R2
* Ran per the Readme.txt instructions
   1)Copy alockout.dll to system32 directory on machine sending bad credentials.
   2)Run the appinit.reg script to add the dll to the Appinit_DLL key.
   3)Restart machine
   4) wait for account to lockout on that machine
* The output (Alockout.LOG) will be created in the winnt\debug (Windows\debug) directory
   -> note: this is NOT getting created, fyi
===================================================================
* On the Server-DC, receiving the following events of note in the logs
   Security Logs -> 680, 675, 539
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      userid
 Source Workstation:      MACHINE_BADSENDER
 Error Code:      0xC0000234
----------------------------------------------------------------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      675
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Description:
Pre-authentication failed:
       User Name:      userid
       User ID:            domain\userid
       Service Name:      krbtgt/domain
       Pre-Authentication Type:      0x0
       Failure Code:      0x12
       Client Address:      192.168.10.139
-------------------------------------------------------------------------------------------------------------------------
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Logon/Logoff
Event ID:      539
Date:            3/28/2012
Time:            10:23:54 AM
User:            NT AUTHORITY\SYSTEM
Computer:      SERVER-DC
Description:
Logon Failure:
       Reason:            Account locked out
       User Name:      userid
       Domain:      domain
       Logon Type:      3
       Logon Process:      NtLmSsp
       Authentication Package:      NTLM
       Workstation Name:      MACHINE-BADSENDER
       Caller User Name:      -
       Caller Domain:      -
       Caller Logon ID:      -
       Caller Process ID: -
       Transited Services: -
       Source Network Address:      192.168.10.139
       Source Port:      59404
--------------------------------------------------------------------------------------------------------------------------------
Additionally, the following are received in the System Logs -> 12294, 3,

Event Type:      Error
Event Source:      SAM
Event Category:      None
Event ID:      12294
Date:            3/28/2012
Time:            10:26:55 AM
User:            DOMAIN\userid
Computer:      SERVER-DC
Description:
The SAM database was unable to lockout the account of userid due to a resource error, such as a hard disk write failure (the specific error code is in the error data) . Accounts are locked after a certain number of bad passwords are provided so please consider resetting the password of the account mentioned above.

Data:
0000: a5 02 00 c0               ¥..À    
--------------------------------------------------------------------------------------------------------------------------
Event Type:      Error
Event Source:      Kerberos
Event Category:      None
Event ID:      3
Date:            3/28/2012
Time:            10:15:47 AM
User:            N/A
Computer:      SERVER-DC
Description:
A Kerberos Error Message was received:
         on logon session
 Client Time:
 Server Time: 14:15:47.0000 3/28/2012 Z
 Error Code: 0xd KDC_ERR_BADOPTION
 Extended Error: 0xc00000bb KLIN(0)
 Client Realm:
 Client Name:
 Server Realm: DOMAIN.LOCAL
 Server Name: host/server-dc.domain.local
 Target Name: host/server-dc.domain.local@DOMAIN.LOCAL
 Error Text:
 File: 9
 Line: b22
 Error Data is in record data.

Data:
0000: 03a11530 a2030102 bb0c040e 00c00000
0010: 03000000 000000
--------------------------------------------------------------------------------------------------------------------

I have searched the following resources and can't seem to find THE resolution:
 * Experts Exchange
 * EventID.net
 * Microsoft Forums
note: of course it's certainly possible I have missed one and/or missed a step along the way

It seems I've been able to identify the guilty party, but, can't nail down the service/issue that's causing it.  It should be noted the following as well:
  * When I shut down the computer MACHINE-BADSENDER, I can successfully access the network with my userid.

Any help would be greatly appreciated, thanks.
0
Comment
Question by:pridenetadmin
12 Comments
 
LVL 9

Expert Comment

by:Geodash
ID: 37777035
How many machines on your domain? I have used Newt before for a similar issue. You can query the first 25 machines on the domain for free by IP. Make sure the machine in question is in the list. Do a complete query, then look at all of the services by searching your your username. See if this helps...


http://www.komodolabs.com/

Download the free version
0
 
LVL 17

Expert Comment

by:Premkumar Yogeswaran
ID: 37777047
Follow the below steps for account lockout issue:

Note: Do the below steps from PDC

Step 1:
dsquery user –name username
Output - "CN=testuser,OU=Test,DC=test,DC=com"

Step 2:
Repadmin /showmeta “user DN”
Repadmin /showmeta "CN=testuser,OU=Test,DC=test,DC=com"

use below command to filter lockout:
Repadmin /showmeta "CN=testuser,OU=Test,DC=test,DC=com"  | find /i "lockout"

note the server name were the lockout pointing to..

Step 3:
Dumpel -f c:\lockout.txt -s DC01 -l security -m security -e 644 642 529 539 680

after the command completed
check the output file for the username

it denotes the system or server from were the account got locked.

Additionally you can also use Microsoft ALTools to troubleshoot account lockouts

Regards,
Prem
0
 

Author Comment

by:pridenetadmin
ID: 37777106
I will try this now, thanks.
0
 

Author Comment

by:pridenetadmin
ID: 37777169
Having trouble running some of these commands, but, I did use the Microsoft ALTools and determined the system that was causing the account lockouts (Machine-BadSender) and the DC locally locking out (SERVER-DC).

Note:
Ran Step 1 but it didn't show any output, should it have
Can't seem to get the syntax correct on Step 2

Thanks for the input though.
0
 

Author Comment

by:pridenetadmin
ID: 37777231
Geodash, I didn't see your post, will take a look at your recommendation.  I have manually chekced the services, but, must be missing something.  

Thanks.
0
 
LVL 9

Expert Comment

by:Geodash
ID: 37777250
It is a great program and may help you!
0
 

Author Comment

by:pridenetadmin
ID: 37777320
I installed and ran the Komodo Labs program, yes it's very nice - thanks for the reference.

Per the Services listed in the program, none were associated with the account that's currently locked out.
0
 
LVL 7

Expert Comment

by:Todar
ID: 37778045
Why not try removing and re-adding the "Machine-BadSender" from the domain.
0
 

Author Comment

by:pridenetadmin
ID: 37778426
Todar, I think I will give that a try, thanks.
0
 

Author Comment

by:pridenetadmin
ID: 37812229
I did remove the machine from the domain and then added back, no change in the Account Lockout status.  Any other ideas how to narrow this down?

Thanks.
0
 

Accepted Solution

by:
pridenetadmin earned 0 total points
ID: 38171200
Determined the program causing the issue.  When shutting down this program account was no longer locked out.  Believe there was a cached credential issue from initial install, but, couldn't determine specifics.  Ended up reinstalling the program and using a system account (and documenting).  Thanks for all the help, educational exercise regardless.
0
 

Author Closing Comment

by:pridenetadmin
ID: 38187114
I solved the problem, thus, it's the correct answer.
0

Join & Write a Comment

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now