Locked account, help finding source

Posted on 2013-10-30
Last Modified: 2013-11-05

One of our users is often experiencing that his account is locked, we have attempted to locate the source of this, without luck.

Currently running a simple function in PowerShell which goes through the security log.

Function Get-LockedOutInfo ([String]$user) {

Get-EventLog -LogName Security | where-object {$_.EntryType -match "FailureAudit" -and $_.message -match $user} | Sort timegenerated | FL


Running the function it tells us that the failed attempts originate from our TMG server.

Filtering the log on TMG server, with only these settings:
web proxy or firewall
Client username
Last day

No failed attempts is showing, not one.
In other similar cases we have been able to see the failure attempts in the TMG log.

Does any have any tips on how follow up on this, to try to locate the source for this ?

Example from the security log:

Index              : 82577185
EntryType          : FailureAudit
InstanceId         : 4625
Message            : An account failed to log on.

                         Security ID:        S-1-0-0
                         Account Name:        -
                         Account Domain:        -
                         Logon ID:        0x0

                     Logon Type:            3

                     Account For Which Logon Failed:
                         Security ID:        S-1-0-0
                         Account Name:
                         Account Domain:

                     Failure Information:
                         Failure Reason:        %%2313
                         Status:            0xc000006d
                         Sub Status:        0xc000006a

                     Process Information:
                         Caller Process ID:    0x0
                         Caller Process Name:    -

                     Network Information:
                         Workstation Name:    TMGSERVER
                         Source Network Address:    TMG.IP
                         Source Port:        xxxx

                     Detailed Authentication Information:
                         Logon Process:        NtLmSsp
                         Authentication Package:    NTLM
                         Transited Services:    -
                         Package Name (NTLM only):    -
                         Key Length:        0

                     This event is generated when a logon request fails. It is generated on the computer where access was attempted.

                     The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

                     The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

                     The Process Information fields indicate which account and process on the system requested the logon.

                     The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

                     The authentication information fields provide detailed information about this specific logon request.
                         - Transited services indicate which intermediate services have participated in this logon request.
                         - Package name indicates which sub-protocol was used among the NTLM protocols.
                         - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Category           : (12544)
CategoryNumber     : 12544
ReplacementStrings : {S-1-0-0, -, -, 0x0...}
Source             : Microsoft-Windows-Security-Auditing
TimeGenerated      : 30.10.2013 11:49:25
TimeWritten        : 30.10.2013 11:49:25
UserName           :
Question by:Lenblock
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 250 total points
ID: 39611415
Use AD Audit Plus to find out where the account is locking out. It's not free but they have a 30 day trial which is fully featured.

AD Audit Plus -

You will find where the account is locking out and from what machine as soon as you install this in your environment.

LVL 24

Assisted Solution

Sandeshdubey earned 250 total points
ID: 39612142
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.It seems from the event TMGSERVER is causing the isssue.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service

Using the checked Netlogon.dll to track account lockouts

Troubleshooting account lockout the Microsoft PSS way:

Paul Bergson's User Account Lockout Troubleshooting 

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?

Expert Comment

ID: 39612909
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices

Follow this Expert-Exchange thread in case:
Or if you want to go with any commercial product you can also look at this utility to know when, where and what account has locked :

Accepted Solution

Lenblock earned 0 total points
ID: 39614175

We found the solution.

It was the users local account causing the problem. A part of their own software was most likely attempting to log on a service with an older password with his account.

He changed his local security policy:
Do not allow storage of passwords and credential

Problem solved for now.
Will continue to find the real source.

Thanks for the suggestions.


Author Closing Comment

ID: 39623758
The reason for the locked out account, was caused by the users own software.

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article runs through the process of deploying a single EXE application selectively to a group of user.
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question