One Active Directory account getting locked when the user unlock the computer
This is a problem for the Active Directory experts.
Since a couple of months, we have a domain account that is getting lock occasionally when the user is coming back from lunch and she is trying to unlock her screen.
We have investigate a lot on this problem and the problem is not related to a service or Schedule task running with saved credential. It is also not related with the user having log on another computer or open a session with rdp.
The folowing security events are register on her local computer at the moment she is trying to unlock her computer:
That event will apear the number of time the user tries to unlock the screen.
Notice the logon type is 7, meaning that it is getting locked when the user unlock her screen
On the domain controller security events log, we are getting the following events:
Getting many of the follwoing event
The following event occured when the account get locks
We took the following actions to try to fix the problem:
I am a bit confuse about the lock. It looks like the computer account is getting lock and the user account is also getting locked.
The local event 4625 show the following info:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: sdesjard
Account Domain: CMCE
The Security ID show "NULL SID", What that mean?
If the domain user account is getting locked, should we see a local event on the computer?
I have parsed all the events and I can't find event that can lead to the culprite.
Any idea is welcome
Since a couple of months, we have a domain account that is getting lock occasionally when the user is coming back from lunch and she is trying to unlock her screen.
We have investigate a lot on this problem and the problem is not related to a service or Schedule task running with saved credential. It is also not related with the user having log on another computer or open a session with rdp.
The folowing security events are register on her local computer at the moment she is trying to unlock her computer:
Nom du journal :Security
Source : Microsoft-Windows-Security-Auditing
Date : 2014-10-16 15:23:23
ID de l’événement :4625
Catégorie de la tâche :Account Lockout
Niveau : Information
Mots clés : Audit Failure
Utilisateur : N/A
Ordinateur : SDESJARD1.cmce.ca
Description :
An account failed to log on.
Subject:
Security ID: Système
Account Name: SDESJARD1$
Account Domain: CMCE
Logon ID: 0x3e7
Logon Type: 7
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: sdesjard
Account Domain: CMCE
Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0
Process Information:
Caller Process ID: 0x1c8
Caller Process Name: C:\Windows\System32\winlogon.exe
Network Information:
Workstation Name: SDESJARD1
Source Network Address: 127.0.0.1
Source Port: 0
Detailed Authentication Information:
Logon Process: User32
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
XML de l’événement :
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12546</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywor ds>
<TimeCreated SystemTime="2014-10-16T19:23:23.7848 88500Z" />
<EventRecordID>6587</EventRecordID>
<Correlation />
<Execution ProcessID="764" ThreadID="812" />
<Channel>Security</Channel>
<Computer>SDESJARD1.cmce.ca</Compute r>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data >
<Data Name="SubjectUserName">SDESJARD1$</D ata>
<Data Name="SubjectDomainName">CMCE</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">sdesjard</Data >
<Data Name="TargetDomainName">CMCE</Data>
<Data Name="Status">0xc0000234</Data>
<Data Name="FailureReason">%%2307</Data>
<Data Name="SubStatus">0x0</Data>
<Data Name="LogonType">7</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Neg otiate</Da ta>
<Data Name="WorkstationName">SDESJARD1</Da ta>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x1c8</Data>
<Data Name="ProcessName">C:\Windows\System 32\winlogo n.exe</Dat a>
<Data Name="IpAddress">127.0.0.1</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
That event will apear the number of time the user tries to unlock the screen.
Notice the logon type is 7, meaning that it is getting locked when the user unlock her screen
On the domain controller security events log, we are getting the following events:
Getting many of the follwoing event
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/16/2014 3:23:23 PM
Event ID: 4771
Task Category: Kerberos Authentication Service
Level: Information
Keywords: Audit Failure
User: N/A
Computer: SRVAD1.cmce.ca
Description:
Kerberos pre-authentication failed.
Account Information:
Security ID: CMCE\sdesjard
Account Name: sdesjard
Service Information:
Service Name: krbtgt/CMCE
Network Information:
Client Address: ::ffff:172.16.29.8
Client Port: 57989
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x12
Pre-Authentication Type: 0
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4771</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14339</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywor ds>
<TimeCreated SystemTime="2014-10-16T19:23:23.8156 17100Z" />
<EventRecordID>845776691</EventRecor dID>
<Correlation />
<Execution ProcessID="728" ThreadID="4308" />
<Channel>Security</Channel>
<Computer>SRVAD1.cmce.ca</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">sdesjard</Data >
<Data Name="TargetSid">S-1-5-21-104411000- 1224309326 -162123580 8-31284</D ata>
<Data Name="ServiceName">krbtgt/CMCE</Data >
<Data Name="TicketOptions">0x40810010</Dat a>
<Data Name="Status">0x12</Data>
<Data Name="PreAuthType">0</Data>
<Data Name="IpAddress">::ffff:172.16.29.8< /Data>
<Data Name="IpPort">57989</Data>
<Data Name="CertIssuerName">
</Data>
<Data Name="CertSerialNumber">
</Data>
<Data Name="CertThumbprint">
</Data>
</EventData>
</Event>
The following event occured when the account get locks
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/16/2014 3:23:21 PM
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: SRVAD1.cmce.ca
Description:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: SRVAD1$
Account Domain: CMCE
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: CMCE\sdesjard
Account Name: sdesjard
Additional Information:
Caller Computer Name: SDESJARD1
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Aud iting" Guid="{54849625-5478-4994- A5BA-3E3B0 328C30D}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywor ds>
<TimeCreated SystemTime="2014-10-16T19:23:21.1323 48300Z" />
<EventRecordID>845776638</EventRecor dID>
<Correlation />
<Execution ProcessID="728" ThreadID="4308" />
<Channel>Security</Channel>
<Computer>SRVAD1.cmce.ca</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">sdesjard</Data >
<Data Name="TargetDomainName">SDESJARD1</D ata>
<Data Name="TargetSid">S-1-5-21-104411000- 1224309326 -162123580 8-31284</D ata>
<Data Name="SubjectUserSid">S-1-5-18</Data >
<Data Name="SubjectUserName">SRVAD1$</Data >
<Data Name="SubjectDomainName">CMCE</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>
We took the following actions to try to fix the problem:
Change the keyboard
Change the computer
Make a new fresh network user profile
Set the local Policy to unlock the computer after 1 minutes
The user kow her password and the caps lock is not the problem.
Change the computer
Make a new fresh network user profile
Set the local Policy to unlock the computer after 1 minutes
The user kow her password and the caps lock is not the problem.
I am a bit confuse about the lock. It looks like the computer account is getting lock and the user account is also getting locked.
The local event 4625 show the following info:
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: sdesjard
Account Domain: CMCE
The Security ID show "NULL SID", What that mean?
If the domain user account is getting locked, should we see a local event on the computer?
I have parsed all the events and I can't find event that can lead to the culprite.
Any idea is welcome
I would also reset the computer account in ADUC and restart the PC
to properly reset the computer account password, dis-join the computer from domain, then reset the computer account and join it back. (dont change the computer account).
To troubleshoot the user account lockout, enable netlogon logging.
you will be able to see from where the authentication request is coming in.
There are possibilities that the user is having exchange mail account configured on smart phone and did not change the password on device.
To troubleshoot the user account lockout, enable netlogon logging.
### Enabled Netlogon Logging
nltest /dbflag:0x20000004
### Disabled Netlogon Logging
nltest /dbflag:0x0you will be able to see from where the authentication request is coming in.
There are possibilities that the user is having exchange mail account configured on smart phone and did not change the password on device.
one thing to check is mapped drives. and control keymgr.dll to see whether the user has saved the old credentials for purpose of accessing a specific resource.
Is the lockout event coming from the user's system?
Does the user login into the system while on the LAN and the system booting up, or is the system mobile/laptop such that the user takes it home, when in the office docks it while resuming her original session?
The reason for the above deals with the user authenticating into the laptop using cached credentials rather than the credentials on the Server following a password change.
One way to confirm is to reboot the system and while it is connected to the LAN authenticate in.
Is the lockout event coming from the user's system?
Does the user login into the system while on the LAN and the system booting up, or is the system mobile/laptop such that the user takes it home, when in the office docks it while resuming her original session?
The reason for the above deals with the user authenticating into the laptop using cached credentials rather than the credentials on the Server following a password change.
One way to confirm is to reboot the system and while it is connected to the LAN authenticate in.
ASKER
We change the computer by another one freshly installed with a new user profile. So the trust relationneship with the domain is not an issue.
This is a latptop and when the computer is undock, it is automatically connected on a Wireless network. The user is bringing the computer at home and connect VPN.
Haven't tried to rename the computer account or user account. Renaming the user account is not an option.
It is not saved credentials and mapped drives.
I will try to enable the Netlogon loging.
Thank you for the suggestions.
This is a latptop and when the computer is undock, it is automatically connected on a Wireless network. The user is bringing the computer at home and connect VPN.
Haven't tried to rename the computer account or user account. Renaming the user account is not an option.
It is not saved credentials and mapped drives.
I will try to enable the Netlogon loging.
Thank you for the suggestions.
you can also run this command to see all the locally cached credentials
control keymgr.dll
control keymgr.dll
ASKER
The account just locked again at 13:09:00
The following is from the netlogon.log.
The dev.domain.ca is one way trust sub-domain and there is no SDESJARD on this domain. I don't know exactly what those commands mean.
There is 2 dcs on the subnet domain.ca and they are SRVAD1 and SRVAD2.
The following is from the netlogon.log.
10/22 13:08:59 [MISC] DsGetDcName function called: Dom:DOMAIN Acct:(null) Flags: IP KDC
10/22 13:08:59 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:08:59 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:08:59 [MISC] DsGetDcName function returns 0: Dom:DOMAIN Acct:(null) Flags: IP KDC
10/22 13:09:52 [MISC] DsGetDcName function called: Dom:domain.ca Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS
10/22 13:09:52 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:52 [MISC] NetpDcGetName: domain.ca using cached information
10/22 13:09:52 [MISC] DsGetDcName function returns 0: Dom:domain.ca Acct:(null) Flags: WRITABLE LDAPONLY RET_DNS
10/22 13:09:52 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags: DS GC RET_DNS
10/22 13:09:52 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:52 [MISC] NetpDcGetName: domain.ca. cache is too old. 16496061
10/22 13:09:52 [MAILSLOT] NetpDcPingListIp: domain.ca.: Sent UDP ping to 172.16.29.52
10/22 13:09:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to SRVDCDEV1.dev.domain.ca
10/22 13:09:52 [MISC] NlPingDcNameWithContext: SRVDCDEV1.dev.domain.ca responded over IP.
10/22 13:09:52 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:52 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags: DS GC RET_DNS
10/22 13:09:52 [MISC] DsGetDcName function called: Dom:DEV.DOMAIN.CA Acct:(null) Flags: IP KDC
10/22 13:09:52 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:52 [MISC] NetpDcGetName: DEV.DOMAIN.CA cache is too old. 16496060
10/22 13:09:52 [MAILSLOT] NetpDcPingListIp: DEV.DOMAIN.CA: Sent UDP ping to 172.16.29.52
10/22 13:09:52 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to SRVDCDEV1.dev.domain.ca
10/22 13:09:52 [MISC] NlPingDcNameWithContext: SRVDCDEV1.dev.domain.ca responded over IP.
10/22 13:09:52 [MISC] NetpDcGetName: DEV.DOMAIN.CA using cached information
10/22 13:09:52 [MISC] DsGetDcName function returns 0: Dom:DEV.DOMAIN.CA Acct:(null) Flags: IP KDC
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. cache is too old. 16737846
10/22 13:09:53 [MAILSLOT] NetpDcPingListIp: domain.ca.: Sent UDP ping to 172.16.29.8
10/22 13:09:53 [MISC] NlPingDcNameWithContext: Sent 1/1 ldap pings to SRVAD2.domain.ca
10/22 13:09:53 [MISC] NlPingDcNameWithContext: SRVAD2.domain.ca responded over IP.
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:DOMAIN Acct:(null) Flags: DS RET_DNS
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags:
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags:
10/22 13:09:53 [MISC] DsGetDcName function called: Dom:(null) Acct:(null) Flags:
10/22 13:09:53 [MISC] NetpDcInitializeContext: DSGETDC_VALID_FLAGS is c01ffff1
10/22 13:09:53 [MISC] NetpDcGetName: domain.ca. using cached information
10/22 13:09:53 [MISC] DsGetDcName function returns 0: Dom:(null) Acct:(null) Flags:
The dev.domain.ca is one way trust sub-domain and there is no SDESJARD on this domain. I don't know exactly what those commands mean.
There is 2 dcs on the subnet domain.ca and they are SRVAD1 and SRVAD2.
Do you have A VPN that uses AD logins?
There is an alocal tool that scans the DC security logs to identify the source of requests that lead to the account lockout.
The logon type will tell you whether the issue is an initial login, or whether the issue is a result of accessing network resources with saved outdated credentials.
Ask the user who is being locked out whether they changed their password shortly before this issue began.
If the person did, they may have configured their home computer to check their company email, connect to the lan via VPN, is x-auth used for wifi access? They did not update all the devices they have that authenticate to the various services.
Could sdesjard be a router/switch or a system on the subdomain?
There is an alocal tool that scans the DC security logs to identify the source of requests that lead to the account lockout.
The logon type will tell you whether the issue is an initial login, or whether the issue is a result of accessing network resources with saved outdated credentials.
Ask the user who is being locked out whether they changed their password shortly before this issue began.
If the person did, they may have configured their home computer to check their company email, connect to the lan via VPN, is x-auth used for wifi access? They did not update all the devices they have that authenticate to the various services.
Could sdesjard be a router/switch or a system on the subdomain?
ASKER
I don't think this is a VPN authentication problem. She is connecting from home using VPN and a SecurID with that same computer and it never locked out at home.
The event ID 4625 is a local computer locked out. I will try to rename the computer and see if it fix the problem.
I tried to reproduce the problem with two other computers and a test account and locking the network account from one computer never generate the event 4625 on the local computer.
The event ID 4625 is a local computer locked out. I will try to rename the computer and see if it fix the problem.
I tried to reproduce the problem with two other computers and a test account and locking the network account from one computer never generate the event 4625 on the local computer.
renaming the computer is of no consequence all it will confirm is that once the name is changed, the account will resume being locked out from the new name.
do you use folder redirection?
Detecting isolating needs to start from the DC's from which you can search the secuiry event log to see the source of the 4265 event id.
Within that, you should be able to see the logon type, and the workstation from which the packet was received.
The local computer when on the LAN is subordinated to the DCs and will send auth requests to the DC without regard to whether there is a cached credential. There is either an entry in
control keymgr.dll for \\someserver\somefolder use username@oldpassword
This is what locks the account up when oldpassword is now newpassword.
I believe this is a laptop system docking.
Does your WIFI require username/password or is it IEEE102.1x configured?
A narrowing of the scope of your search, has the user recently change the password on the AD?
Do you have a terminal server in the environment that the user uses and where the user currently has an active/disconnected session?
do you use folder redirection?
Detecting isolating needs to start from the DC's from which you can search the secuiry event log to see the source of the 4265 event id.
Within that, you should be able to see the logon type, and the workstation from which the packet was received.
The local computer when on the LAN is subordinated to the DCs and will send auth requests to the DC without regard to whether there is a cached credential. There is either an entry in
control keymgr.dll for \\someserver\somefolder use username@oldpassword
This is what locks the account up when oldpassword is now newpassword.
I believe this is a laptop system docking.
Does your WIFI require username/password or is it IEEE102.1x configured?
A narrowing of the scope of your search, has the user recently change the password on the AD?
Do you have a terminal server in the environment that the user uses and where the user currently has an active/disconnected session?
ASKER
I haven't rename the computer. I noticed that the user changed her password yesterday morning. I will wait the next lock to analyzed again. I have enable the logon/logoff success and failure on the local computer.
The WIFI authenticate using IEEE102.1x configured by GPO.
I noticed that they are more computer with similar lock account.
I also noticed that many local accounts Administrator are getting locked. The local account Administrator is never used to logon except to join the computer to the domain and install some softwares by the techs.
The WIFI authenticate using IEEE102.1x configured by GPO.
I noticed that they are more computer with similar lock account.
I also noticed that many local accounts Administrator are getting locked. The local account Administrator is never used to logon except to join the computer to the domain and install some softwares by the techs.
Do you have an Internet facing app I.e.owa, etc. check the externally facing sysytem to make sure those are not being attacked to password ........ Discovery
ASKER
The problem was probably the end user.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Attributing the issue to the user which presumably after the password was changed and all resources the user was using updated to use the new password, the issue has been resolved.
I believe comments here assisted you in resolving this issue as well as provide you a map to resolve should user account lockouts occur again.
I believe comments here assisted you in resolving this issue as well as provide you a map to resolve should user account lockouts occur again.
ASKER
None of what was proposed as solution helped us to resolve the issue. Everything that has been proposed was already checked.
After observation of the user, it has been bring to our attention that the user was typing very fast and retrying to enter the password many times.
After observation of the user, it has been bring to our attention that the user was typing very fast and retrying to enter the password many times.
ASKER
None of what was proposed as solution helped us to resolve the issue. Everything that has been proposed was already checked.
After observation of the user, it has been bring to our attention that the user was typing very fast and retrying to enter the password many times.
After observation of the user, it has been bring to our attention that the user was typing very fast and retrying to enter the password many times.
You said that the computer and the account are getting locked out when she returns from lunch.
Can you replicate the problem by locking the PC for 1 minute and try to unlock it?
Have you tried to change the name of the Computer?
Have you tried to change the account name?
I've seen this happen and it usually happens when the account name is a subset of the Domain or computer name.
Such as John@johnhopkins.com