Solved

AD accounts not getting locked out properly ID 4771

Posted on 2012-12-27
8
1,038 Views
Last Modified: 2013-07-19
Hello,

I'm receiving many event ID's for 4771 on several domain controllers where I'm getting the below information with many authentication failures but the user accounts are not getting locked out when the default domain policy is set to lockout after 3 unsuccessful attempts. Any thoughts? Thanks


4771,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Thu Dec 27 20:26:01 2012,No User,Kerberos pre-authentication failed.    Account Information:   Security ID:  S-1-5-21-2094812614-1962491401-1202159320-115256   Account Name:  bvn0412    Service Information:   Service Name:  krbtgt/domain.COM    Network Information:   Client Address:  ::ffff:10.12.104.105   Client Port:  62426    Additional Information:   Ticket Options:  0x40810010   Failure Code:  0x18   Pre-Authentication Type: 2    Certificate Information:   Certificate Issuer Name:     Certificate Serial Number:     Certificate Thumbprint:      Certificate information is only provided if a certificate was used for pre-authentication.    Pre-authentication types, ticket options and failure codes are defined in RFC 4120.    If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
0
Comment
Question by:jacksonwsa
  • 4
  • 2
  • 2
8 Comments
 
LVL 15

Expert Comment

by:alienvoice
ID: 38725867
Over what time period are these failures occuring?

Are your default settings set to a short grace period?
0
 

Author Comment

by:jacksonwsa
ID: 38725875
I'm seeing like 8 failures in a day on this first account I'm looking at. Here is our default domain policy specifically the password piece.

Policy Setting
Enforce password history 5 passwords remembered
Maximum password age 45 days
Minimum password age 1 days
Minimum password length 8 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Disabled

Account Policies/Account Lockout Policyhide
Policy Setting
Account lockout duration 10080 minutes
Account lockout threshold 3 invalid logon attempts
Reset account lockout counter after 4320 minutes

Account Policies/Kerberos Policyhide
Policy Setting
Enforce user logon restrictions Enabled
Maximum lifetime for service ticket 600 minutes
Maximum lifetime for user ticket 10 hours
Maximum lifetime for user ticket renewal 7 days
Maximum tolerance for computer clock synchronization 5 minutes
0
 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 38725879
What is your Reset Account Lockout Counter After setting?

Go through this as well to make sure all settings are set correctly

http://technet.microsoft.com/en-us/library/cc781491(v=ws.10).aspx

Run gpupdate on client

Run gpresult see if the policy is applying or not to the users
0
 

Author Comment

by:jacksonwsa
ID: 38725883
I confirmed the policy is applying to two of the users
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 59

Expert Comment

by:Darius Ghassem
ID: 38725889
Alright check those settings
0
 
LVL 15

Accepted Solution

by:
alienvoice earned 500 total points
ID: 38725896
Check your 'Reset account Lockout Counter After' setting. This determines how many minutes can elapse after each failed attempt. Your 8 attempts per day may be occuring far enough apart not to trigger the lockout.

http://technet.microsoft.com/en-us/library/cc784599%28v=ws.10%29.aspx
0
 

Author Comment

by:jacksonwsa
ID: 38757651
I've dug into the logs and I think I'm making progress on this. Thanks for your help
0
 

Author Comment

by:jacksonwsa
ID: 39339307
I've requested that this question be closed as follows:

Accepted answer: 0 points for jacksonwsa's comment #a38757651

for the following reason:

This was never resolved
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Power shell script 6 58
Issue with server 2012 R2 and access to folders 20 47
MS-Access 2002 error (Win XP on Win7Pro) 19 49
need help with active directory 4 27
Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

895 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now