Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Locked account, help finding source

Posted on 2013-10-30
Medium Priority
Last Modified: 2013-11-05

One of our users is often experiencing that his account is locked, we have attempted to locate the source of this, without luck.

Currently running a simple function in PowerShell which goes through the security log.

Function Get-LockedOutInfo ([String]$user) {

Get-EventLog -LogName Security | where-object {$_.EntryType -match "FailureAudit" -and $_.message -match $user} | Sort timegenerated | FL


Running the function it tells us that the failed attempts originate from our TMG server.

Filtering the log on TMG server, with only these settings:
web proxy or firewall
Client username
Last day

No failed attempts is showing, not one.
In other similar cases we have been able to see the failure attempts in the TMG log.

Does any have any tips on how follow up on this, to try to locate the source for this ?

Example from the security log:

Index              : 82577185
EntryType          : FailureAudit
InstanceId         : 4625
Message            : An account failed to log on.

                         Security ID:        S-1-0-0
                         Account Name:        -
                         Account Domain:        -
                         Logon ID:        0x0

                     Logon Type:            3

                     Account For Which Logon Failed:
                         Security ID:        S-1-0-0
                         Account Name:        user.name
                         Account Domain:        domain.com

                     Failure Information:
                         Failure Reason:        %%2313
                         Status:            0xc000006d
                         Sub Status:        0xc000006a

                     Process Information:
                         Caller Process ID:    0x0
                         Caller Process Name:    -

                     Network Information:
                         Workstation Name:    TMGSERVER
                         Source Network Address:    TMG.IP
                         Source Port:        xxxx

                     Detailed Authentication Information:
                         Logon Process:        NtLmSsp
                         Authentication Package:    NTLM
                         Transited Services:    -
                         Package Name (NTLM only):    -
                         Key Length:        0

                     This event is generated when a logon request fails. It is generated on the computer where access was attempted.

                     The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

                     The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

                     The Process Information fields indicate which account and process on the system requested the logon.

                     The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

                     The authentication information fields provide detailed information about this specific logon request.
                         - Transited services indicate which intermediate services have participated in this logon request.
                         - Package name indicates which sub-protocol was used among the NTLM protocols.
                         - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Category           : (12544)
CategoryNumber     : 12544
ReplacementStrings : {S-1-0-0, -, -, 0x0...}
Source             : Microsoft-Windows-Security-Auditing
TimeGenerated      : 30.10.2013 11:49:25
TimeWritten        : 30.10.2013 11:49:25
UserName           :
Question by:Lenblock
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 39611415
Use AD Audit Plus to find out where the account is locking out. It's not free but they have a 30 day trial which is fully featured.

AD Audit Plus - http://www.manageengine.com/products/active-directory-audit/

You will find where the account is locking out and from what machine as soon as you install this in your environment.

LVL 24

Assisted Solution

Sandeshdubey earned 500 total points
ID: 39612142
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.It seems from the event TMGSERVER is causing the isssue.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service

Using the checked Netlogon.dll to track account lockouts

Troubleshooting account lockout the Microsoft PSS way:

Paul Bergson's User Account Lockout Troubleshooting

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?

Expert Comment

ID: 39612909
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices

Follow this Expert-Exchange thread in case: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
Or if you want to go with any commercial product you can also look at this utility to know when, where and what account has locked : http://www.auditactivedirectory.com/

Accepted Solution

Lenblock earned 0 total points
ID: 39614175

We found the solution.

It was the users local account causing the problem. A part of their own software was most likely attempting to log on a service with an older password with his account.

He changed his local security policy:
Do not allow storage of passwords and credential

Problem solved for now.
Will continue to find the real source.

Thanks for the suggestions.


Author Closing Comment

ID: 39623758
The reason for the locked out account, was caused by the users own software.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Let's recap what we learned from yesterday's Skyport Systems webinar.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question