• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1359
  • Last Modified:

Account Lockout

I am using a Windows 7 Pro 64-bit OS PC on a 2003 MS Active Directory network. I am getting random account lockouts which were initially all pre-authentication lockout failure audits. After a registry setting change to the OS to use AES encryption I still get the lockouts but they are more descriptive. The errors are 673 Failure Audits with SYSTEM listed as the user. However, the detail of the entry shows my AD user account and either cifs/servername or ldap/servername under Service Name. Ticket Options: 0x40810000 and failure code 0x12. Lockouts appear to happen no matter what DC I authenticate to. I am a domain admin but my user account is not added as a local admin on the PC. I have not been able to find out much info about this. Can someone please help me out? Thanks!
0
grahsysadmin
Asked:
grahsysadmin
  • 7
  • 2
  • 2
  • +2
1 Solution
 
pony10usCommented:
0x12 = Clients credentials have been revoked Account disabled, expired, locked out, logon hours.
0
 
Gajendra RathodSr. System AdministratorCommented:
Please check credential manager on your machine

Go to Control Panel| Credential Manager

Remove any stored username and password that you think are related to old password.
0
 
doublestickCommented:
maybe your password expired while you are still logged on and cannot access any other machines?
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
grahsysadminAuthor Commented:
All,
Network password has not changed in months and is set to not expire. I only notice the lockouts when I actually try to use a resource that needs authentication: When I open AD Users and Computers on my PC, for example. There is a 15 minute unlock interval so it could be happening more than I know. I have noticed no machine account lockouts. Only my user account. The only thing I can find in Credential Manager that is curious is virtualapp/didlogical which has a modified date of today. Thanks for all the responses so far!
0
 
chubby_informerCommented:
SOME VIRUS CAUSES THIS...AND CAUSES THE ad ACCOUNT TO LOCK OUT AND GET DISABLED.
0
 
Gajendra RathodSr. System AdministratorCommented:
There are some account lockout tools

 Account Lockout tools
0
 
grahsysadminAuthor Commented:
We just added a 2008 DC to the domain in case this is some weird encryption issue with the Win7 machines on 2003 DCs. Will report back in a couple days after we see if any further lockouts occur. Thanks for the replies thus far.
0
 
grahsysadminAuthor Commented:
Still getting a lot of Kerberos pre-auth errors, looking like this is the cause of lockouts. We've gone through many suggestions, redesigned our AD schema to prevent *any* offsite auth to our other DCs, tried different encryption types and many other things - yet the problem persists.

Anyone out there have first hand experience with Win 7 x64 domain admin lockouts on a 2003-functional domain?? Hoping to avoid paying MS per-incident for this issue...
0
 
pony10usCommented:
0
 
grahsysadminAuthor Commented:
We may have *finally* zeroed in on the issue - our Outlook 365 logins are the same as our AD UPNs, which appears to be causing Outlook to send an invalid SID (full of zeroes) to be passed for Kerberos auth on the domain, in turn causing the account lockouts. This is primarily because we chose not to federate since we have less than 100 users.

Link to MS KB article and corresponding hotfix which mentions the issue (along with the suggested registry change):

http://support.microsoft.com/kb/2598374

http://support.microsoft.com/kb/2598365

Since installing this hotfix, I have yet to be locked out due to krb auth errors. Not going with a declaration of this being the de-facto fix until I see a week or two without lockout.

Sincerely hoping this saves some hair from being pulled out.
0
 
grahsysadminAuthor Commented:
...and it figures, the moment I post a supposed fix I get another account lockout. Still searching... suspect Lync as the culprit this time.
0
 
grahsysadminAuthor Commented:
Update: the only way to fix this issue to date has been to have the same password for the user's domain account as on Office 365. Sort of a security nightmare.
0
 
grahsysadminAuthor Commented:
This now seems to be standard procedure, albeit a horrible idea from a security standpoint.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

  • 7
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now