Solved

One Active Directory account getting locked when the user unlock the computer

Posted on 2014-10-17
17
568 Views
Last Modified: 2015-04-04
This is a problem for the Active Directory experts.

Since a couple of months, we have a domain account that is getting lock occasionally when the user is coming back from lunch and she is trying to unlock her screen.

We have investigate a lot on this problem and the problem is not related to a service or Schedule task running with saved credential. It is also not related with the user having log on another computer or open a session with rdp.

The folowing security events are register on her local computer at the moment she is trying to unlock her computer:


Nom du journal :Security
Source :       Microsoft-Windows-Security-Auditing
Date :         2014-10-16 15:23:23
ID de l’événement :4625
Catégorie de la tâche :Account Lockout
Niveau :       Information
Mots clés :    Audit Failure
Utilisateur :  N/A
Ordinateur :   SDESJARD1.cmce.ca
Description :
An account failed to log on.

Subject:
      Security ID:            Système
      Account Name:            SDESJARD1$
      Account Domain:            CMCE
      Logon ID:            0x3e7

Logon Type:                  7

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            sdesjard
      Account Domain:            CMCE

Failure Information:
      Failure Reason:            Account locked out.
      Status:                  0xc0000234
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x1c8
      Caller Process Name:      C:\Windows\System32\winlogon.exe

Network Information:
      Workstation Name:      SDESJARD1
      Source Network Address:      127.0.0.1
      Source Port:            0

Detailed Authentication Information:
      Logon Process:            User32
      Authentication Package:      Negotiate
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
XML de l’événement :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12546</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-16T19:23:23.784888500Z" />
    <EventRecordID>6587</EventRecordID>
    <Correlation />
    <Execution ProcessID="764" ThreadID="812" />
    <Channel>Security</Channel>
    <Computer>SDESJARD1.cmce.ca</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SDESJARD1$</Data>
    <Data Name="SubjectDomainName">CMCE</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">sdesjard</Data>
    <Data Name="TargetDomainName">CMCE</Data>
    <Data Name="Status">0xc0000234</Data>
    <Data Name="FailureReason">%%2307</Data>
    <Data Name="SubStatus">0x0</Data>
    <Data Name="LogonType">7</Data>
    <Data Name="LogonProcessName">User32 </Data>
    <Data Name="AuthenticationPackageName">Negotiate</Data>
    <Data Name="WorkstationName">SDESJARD1</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x1c8</Data>
    <Data Name="ProcessName">C:\Windows\System32\winlogon.exe</Data>
    <Data Name="IpAddress">127.0.0.1</Data>
    <Data Name="IpPort">0</Data>
  </EventData>
</Event>

That event will apear the number of time the user tries to unlock the screen.
Notice the logon type is 7, meaning that it is getting locked when the user unlock her screen

On the domain controller security events log, we are getting the following events:

Getting many of the follwoing event
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/16/2014 3:23:23 PM
Event ID:      4771
Task Category: Kerberos Authentication Service
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      SRVAD1.cmce.ca
Description:
Kerberos pre-authentication failed.

Account Information:
      Security ID:            CMCE\sdesjard
      Account Name:            sdesjard

Service Information:
      Service Name:            krbtgt/CMCE

Network Information:
      Client Address:            ::ffff:172.16.29.8
      Client Port:            57989

Additional Information:
      Ticket Options:            0x40810010
      Failure Code:            0x12
      Pre-Authentication Type:      0

Certificate Information:
      Certificate Issuer Name:            
      Certificate Serial Number:       
      Certificate Thumbprint:            

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options and failure codes are defined in RFC 4120.

If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4771</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>14339</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-16T19:23:23.815617100Z" />
    <EventRecordID>845776691</EventRecordID>
    <Correlation />
    <Execution ProcessID="728" ThreadID="4308" />
    <Channel>Security</Channel>
    <Computer>SRVAD1.cmce.ca</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">sdesjard</Data>
    <Data Name="TargetSid">S-1-5-21-104411000-1224309326-1621235808-31284</Data>
    <Data Name="ServiceName">krbtgt/CMCE</Data>
    <Data Name="TicketOptions">0x40810010</Data>
    <Data Name="Status">0x12</Data>
    <Data Name="PreAuthType">0</Data>
    <Data Name="IpAddress">::ffff:172.16.29.8</Data>
    <Data Name="IpPort">57989</Data>
    <Data Name="CertIssuerName">
    </Data>
    <Data Name="CertSerialNumber">
    </Data>
    <Data Name="CertThumbprint">
    </Data>
  </EventData>
</Event>

The following event occured when the account get locks
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/16/2014 3:23:21 PM
Event ID:      4740
Task Category: User Account Management
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      SRVAD1.cmce.ca
Description:
A user account was locked out.

Subject:
      Security ID:            SYSTEM
      Account Name:            SRVAD1$
      Account Domain:            CMCE
      Logon ID:            0x3e7

Account That Was Locked Out:
      Security ID:            CMCE\sdesjard
      Account Name:            sdesjard

Additional Information:
      Caller Computer Name:      SDESJARD1
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4740</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>13824</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2014-10-16T19:23:21.132348300Z" />
    <EventRecordID>845776638</EventRecordID>
    <Correlation />
    <Execution ProcessID="728" ThreadID="4308" />
    <Channel>Security</Channel>
    <Computer>SRVAD1.cmce.ca</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="TargetUserName">sdesjard</Data>
    <Data Name="TargetDomainName">SDESJARD1</Data>
    <Data Name="TargetSid">S-1-5-21-104411000-1224309326-1621235808-31284</Data>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">SRVAD1$</Data>
    <Data Name="SubjectDomainName">CMCE</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
  </EventData>
</Event>

We took the following actions to try to fix the problem:

Change the keyboard
Change the computer
Make a new fresh network user profile
Set the local Policy to unlock the computer after 1 minutes
The user kow her password and the caps lock is not the problem.

I am a bit confuse about the lock. It looks like the computer account is getting lock and the user account is also getting locked.

The local event 4625 show the following info:
Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            sdesjard
      Account Domain:            CMCE

The Security ID show "NULL SID", What that mean?
If the domain user account is getting locked, should we see a local event on the computer?

I have parsed all the events and I can't find event that can lead to the culprite.

Any idea is welcome
0
Comment
Question by:SergeGregoire
17 Comments
 
LVL 14

Expert Comment

by:Don Thomson
ID: 40387446
A couple of questions

You said that the computer and the account are getting locked out when she returns from lunch.
Can you replicate the problem by locking the PC for 1 minute and try to unlock it?

Have you tried to change the name of the Computer?
Have you tried to change the account name?

I've seen this happen and it usually happens when the account name is a subset of the Domain or computer name.

Such as John@johnhopkins.com
0
 
LVL 16

Expert Comment

by:Joshua Grantom
ID: 40387517
I would also reset the computer account in ADUC and restart the PC
0
 
LVL 12

Expert Comment

by:Vaseem Mohammed
ID: 40387592
to properly reset the computer account password, dis-join the computer from domain, then reset the computer account and join it back. (dont change the computer account).
To troubleshoot the user account lockout, enable netlogon logging.
### Enabled Netlogon Logging
nltest /dbflag:0x20000004

### Disabled Netlogon Logging
nltest /dbflag:0x0

Open in new window

use some log tail software and check the log file netlogon.log located at c:\windows\debug

you will be able to see from where the authentication request is coming in.
There are possibilities that the user is having exchange mail account configured on smart phone and did not change the password on device.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40389224
one thing to check is mapped drives. and control keymgr.dll to see whether the user has saved the old credentials for purpose of accessing a specific resource.

Is the lockout event coming from the user's system?

Does the user login into the system while on the LAN and the system booting up, or is the system mobile/laptop such that the user takes it home, when in the office docks it while resuming her original session?

The reason for the above deals with the user authenticating into the laptop using cached credentials rather than the credentials on the Server following a password change.

One way to confirm is to reboot the system and while it is connected to the LAN authenticate in.
0
 
LVL 1

Author Comment

by:SergeGregoire
ID: 40392055
We change the computer by another one freshly installed with a new user profile. So the trust relationneship with the domain is not an issue.

This is a latptop and when the computer is undock, it is automatically connected on a Wireless network. The user is bringing the computer at home and connect VPN.

Haven't tried to rename the computer account or user account. Renaming the user account is not an option.

It is not saved credentials and mapped drives.

I will try to enable the Netlogon loging.

Thank you for the suggestions.
0
 
LVL 10

Expert Comment

by:Pramod Ubhe
ID: 40394317
you can also run this command to see all the locally cached credentials

control keymgr.dll
0
 
LVL 1

Author Comment

by:SergeGregoire
ID: 40397696
The account just locked again at 13:09:00

The following is from the netlogon.log.


10/22 13:08:59 [MISC] DsGetDcName function called: Dom:DOMAIN Acct:(null) Flags: IP KDC
10/22 13:08:59 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:08:59 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:08:59 [MISC] DsGetDcName function returns 0: Dom:DOMAIN Acct:(null) Flags: IP KDC
10/22 13:09:52 [MISC] DsGetDcName function called: Dom:domain.ca Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS
10/22 13:09:52 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:52 [MISC] NetpDcGetName: domain.ca using cached information
10/22 13:09:52 [MISC] DsGetDcName function returns 0: Dom:domain.ca Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS
10/22 13:09:52 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags: DS GC RET_DNS
10/22 13:09:52 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:52 [MISC] NetpDcGetName: domain.ca. cache is too old. 16496061
10/22 13:09:52 [MAILSLOT] NetpDcPingListIp: domain.ca.: Sent UDP ping to 172.16.29.52
10/22 13:09:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to SRVDCDEV1.dev.domain.ca
10/22 13:09:52 [MISC] NlPingDcNameWithContext: SRVDCDEV1.dev.domain.ca responded over IP.
10/22 13:09:52 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:52 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags: DS GC RET_DNS
10/22 13:09:52 [MISC] DsGetDcName function called: Dom:DEV.DOMAIN.CA Acct:(null) Flags: IP KDC
10/22 13:09:52 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:52 [MISC] NetpDcGetName: DEV.DOMAIN.CA cache is too old. 16496060
10/22 13:09:52 [MAILSLOT] NetpDcPingListIp: DEV.DOMAIN.CA: Sent UDP ping to 172.16.29.52
10/22 13:09:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to SRVDCDEV1.dev.domain.ca
10/22 13:09:52 [MISC] NlPingDcNameWithContext: SRVDCDEV1.dev.domain.ca responded over IP.
10/22 13:09:52 [MISC] NetpDcGetName: DEV.DOMAIN.CA using cached information
10/22 13:09:52 [MISC] DsGetDcName function returns 0: Dom:DEV.DOMAIN.CA Acct:(null) Flags: IP KDC
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. cache is too old. 16737846
10/22 13:09:53 [MAILSLOT] NetpDcPingListIp: domain.ca.: Sent UDP ping to 172.16.29.8
10/22 13:09:53 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to SRVAD2.domain.ca
10/22 13:09:53 [MISC] NlPingDcNameWithContext: SRVAD2.domain.ca responded over IP.
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags:
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags:
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags:
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags:

The dev.domain.ca is one way trust sub-domain and there is no SDESJARD on this domain. I don't know exactly what those commands mean.

There is 2 dcs on the subnet domain.ca and they are SRVAD1 and SRVAD2.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40397821
Do you have A VPN that uses AD logins?

There is an alocal tool that scans the DC security logs to identify the source of requests that lead to the account lockout.

The logon type will tell you whether the issue is an initial login, or whether the issue is a result of accessing network resources with saved outdated credentials.

Ask the user who is being locked out whether they changed their password shortly before this issue began.
If the person did, they may have configured their home computer to check their company email, connect to the lan via VPN, is x-auth used for wifi access? They did not update all the devices they have that authenticate to the various services.

Could sdesjard be a router/switch or a system on the subdomain?
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 
LVL 1

Author Comment

by:SergeGregoire
ID: 40397921
I don't think this is a VPN authentication problem. She is connecting from home using VPN and a SecurID with that same computer and it never locked out at home.

The event ID 4625 is a local computer locked out. I will try to rename the computer and see if it fix the problem.

I tried to reproduce the problem with two other computers and a test account and locking the network account from one computer never generate the event 4625 on the local computer.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40397952
renaming the computer is of no consequence all it will confirm is that once the name is changed, the account will resume being locked out from the new name.

do you use folder redirection?  

Detecting isolating needs to start from the DC's from which you can search the secuiry event log to see the source of the 4265 event id.
Within that, you should be able to see the logon type, and the workstation from which the packet was received.

The local computer when on the LAN is subordinated to the DCs and will send auth requests to the DC without regard to whether there is a cached credential.  There is either an entry in
control keymgr.dll for \\someserver\somefolder use username@oldpassword
This is what locks the account up when oldpassword is now newpassword.
I believe this is a laptop system docking.
Does your WIFI require username/password or is it IEEE102.1x configured?


A narrowing of the scope of your search, has the user recently change the password on the AD?

Do you have a terminal server in the environment that the user uses and where the user currently has an active/disconnected session?
0
 
LVL 1

Author Comment

by:SergeGregoire
ID: 40400419
I haven't rename the computer. I noticed that the user changed her password yesterday morning. I will wait the next lock to analyzed again. I have enable the logon/logoff success and failure on the local computer.

The WIFI authenticate using IEEE102.1x configured by GPO.

I noticed that they are more computer with similar lock account.

I also noticed that many local accounts Administrator are getting locked. The local account Administrator is never used to logon except to join the computer to the domain and install some softwares by the techs.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40400764
Do you have an Internet facing app I.e.owa, etc.  check the externally facing sysytem to make sure those are not being attacked to password ........ Discovery
0
 
LVL 1

Author Comment

by:SergeGregoire
ID: 40695921
The problem was probably the end user.
0
 
LVL 1

Accepted Solution

by:
SergeGregoire earned 0 total points
ID: 40696304
I've requested that this question be closed as follows:

Accepted answer: 0 points for SergeGregoire's comment #a40695921

for the following reason:

.
0
 
LVL 76

Expert Comment

by:arnold
ID: 40696305
Attributing the issue to the user which presumably after the password was changed and all resources the user was using updated to use the new password, the issue has been resolved.

I believe comments here assisted you in resolving this issue as well as provide you a map to resolve should user account lockouts occur again.
0
 
LVL 1

Author Comment

by:SergeGregoire
ID: 40696367
None of what was proposed as solution helped us to resolve the issue. Everything that has been proposed was already checked.

After observation of the user, it has been bring to our attention that the user was typing very fast and retrying to enter the password many times.
0
 
LVL 1

Author Closing Comment

by:SergeGregoire
ID: 40706168
None of what was proposed as solution helped us to resolve the issue. Everything that has been proposed was already checked.

After observation of the user, it has been bring to our attention that the user was typing very fast and retrying to enter the password many times.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to enable the VMware\Hyper-V licensed feature of Backup Exec 2012. In addition, how to add a VMware server and configure a backup job. The first step is to acquire the necessary licen…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now