• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2898
  • Last Modified:

Locked account, help finding source


One of our users is often experiencing that his account is locked, we have attempted to locate the source of this, without luck.

Currently running a simple function in PowerShell which goes through the security log.

Function Get-LockedOutInfo ([String]$user) {

Get-EventLog -LogName Security | where-object {$_.EntryType -match "FailureAudit" -and $_.message -match $user} | Sort timegenerated | FL


Running the function it tells us that the failed attempts originate from our TMG server.

Filtering the log on TMG server, with only these settings:
web proxy or firewall
Client username
Last day

No failed attempts is showing, not one.
In other similar cases we have been able to see the failure attempts in the TMG log.

Does any have any tips on how follow up on this, to try to locate the source for this ?

Example from the security log:

Index              : 82577185
EntryType          : FailureAudit
InstanceId         : 4625
Message            : An account failed to log on.

                         Security ID:        S-1-0-0
                         Account Name:        -
                         Account Domain:        -
                         Logon ID:        0x0

                     Logon Type:            3

                     Account For Which Logon Failed:
                         Security ID:        S-1-0-0
                         Account Name:        user.name
                         Account Domain:        domain.com

                     Failure Information:
                         Failure Reason:        %%2313
                         Status:            0xc000006d
                         Sub Status:        0xc000006a

                     Process Information:
                         Caller Process ID:    0x0
                         Caller Process Name:    -

                     Network Information:
                         Workstation Name:    TMGSERVER
                         Source Network Address:    TMG.IP
                         Source Port:        xxxx

                     Detailed Authentication Information:
                         Logon Process:        NtLmSsp
                         Authentication Package:    NTLM
                         Transited Services:    -
                         Package Name (NTLM only):    -
                         Key Length:        0

                     This event is generated when a logon request fails. It is generated on the computer where access was attempted.

                     The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

                     The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

                     The Process Information fields indicate which account and process on the system requested the logon.

                     The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

                     The authentication information fields provide detailed information about this specific logon request.
                         - Transited services indicate which intermediate services have participated in this logon request.
                         - Package name indicates which sub-protocol was used among the NTLM protocols.
                         - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Category           : (12544)
CategoryNumber     : 12544
ReplacementStrings : {S-1-0-0, -, -, 0x0...}
Source             : Microsoft-Windows-Security-Auditing
TimeGenerated      : 30.10.2013 11:49:25
TimeWritten        : 30.10.2013 11:49:25
UserName           :
3 Solutions
Will SzymkowskiSenior Solution ArchitectCommented:
Use AD Audit Plus to find out where the account is locking out. It's not free but they have a 30 day trial which is fully featured.

AD Audit Plus - http://www.manageengine.com/products/active-directory-audit/

You will find where the account is locking out and from what machine as soon as you install this in your environment.

SandeshdubeySenior Server EngineerCommented:
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.It seems from the event TMGSERVER is causing the isssue.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service

Using the checked Netlogon.dll to track account lockouts

Troubleshooting account lockout the Microsoft PSS way:

Paul Bergson's User Account Lockout Troubleshooting

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices

Follow this Expert-Exchange thread in case: http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
Or if you want to go with any commercial product you can also look at this utility to know when, where and what account has locked : http://www.auditactivedirectory.com/
LenblockAuthor Commented:

We found the solution.

It was the users local account causing the problem. A part of their own software was most likely attempting to log on a service with an older password with his account.

He changed his local security policy:
Do not allow storage of passwords and credential

Problem solved for now.
Will continue to find the real source.

Thanks for the suggestions.

LenblockAuthor Commented:
The reason for the locked out account, was caused by the users own software.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: SQL Server Core 2016

This course will introduce you to SQL Server Core 2016, as well as teach you about SSMS, data tools, installation, server configuration, using Management Studio, and writing and executing queries.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now