We help IT Professionals succeed at work.
Get Started

Users getting locked out did a trace not sure what all this means

2,801 Views
Last Modified: 2015-03-10
We've been having lockout issues on a number of users recently.

I have netlogon debug on my DC and my Cas server.

DC is 2008 R2, CAS is 2010 on 2008 R2

debug log on the DC I see this

03/03 16:04:57 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC000006A
03/03 16:04:58 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
[LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC000006A

after a few more of these I get this

03/03 16:05:01 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
[LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC)  Returns 0xC0000234
03/03 16:05:02 [LOGON] 92NDSTY: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Entered
03/03 16:05:02 [LOGON] domain: SamLogon: Transitive Interactive logon of (null)\staff from CAS (via DC) Returns 0xC0000234

From my cas debug log

03/03 16:04:54 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Entered
03/03 16:04:54 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
03/03 16:04:54 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC000006A
03/03 16:04:55 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Entered
03/03 16:04:55 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc000006a)
03/03 16:04:55 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC000006A
03/03 16:05:01 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonEx: 1761 (may be legitimate for 0xc0000234)
03/03 16:05:01 [LOGON] SamLogon: Interactive logon of (null)\staff from CAS Returns 0xC0000234

So based on the debug logs, and If i understand it correctly, it looks like the user tried to check email (via outlook/mobile device) but password was incorrect/wrong and after multiple tries the account got locked.

I checked the account and the computer password was not changed recently. His password did not expire. His phone password was not changed. He was signed in & working on his computer when his account got locked. What he did say was that outlook was open and then suddenly it prompted him to enter a username + password. he ignored it and then his account got locked.

Map drives do not require a password to be entered. IT dept mapped his drive for the user in question.
Comment
Watch Question
Enterprise Architecture Lead
CERTIFIED EXPERT
Most Valuable Expert 2015
Top Expert 2015
Commented:
This problem has been solved!
Unlock 1 Answer and 9 Comments.
See Answer
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE