singring
asked on
Why frequent account locked out - Event ID 4740
We have frequent account locks out that seem to be origination at user's workstations:
A user account was locked out.
Subject: Security ID: S-1-5-18
Account Name: DomainController$
Account Domain: NT_DOMAIN
Logon ID: 0x3e7
Account That Was Locked Out: Security ID: S-1-5-21-2030126595-979527 223-175683 4886-1337
Account Name: JohnS
Additional Information: Caller Computer Name: JohnS-PC
It affects only certain workstations on the domain, and we cannot pinpoint what is actually causing this behavior. We started noticing it last week - on the day we have added New routable UPN Suffix to all domain users. We have no idea if this is the cause or just a coincidence - we've seen this happening before, but it was usually caused by phones or persistent network connections. Any ideas how to tracked down a problem?
A user account was locked out.
Subject: Security ID: S-1-5-18
Account Name: DomainController$
Account Domain: NT_DOMAIN
Logon ID: 0x3e7
Account That Was Locked Out: Security ID: S-1-5-21-2030126595-979527
Account Name: JohnS
Additional Information: Caller Computer Name: JohnS-PC
It affects only certain workstations on the domain, and we cannot pinpoint what is actually causing this behavior. We started noticing it last week - on the day we have added New routable UPN Suffix to all domain users. We have no idea if this is the cause or just a coincidence - we've seen this happening before, but it was usually caused by phones or persistent network connections. Any ideas how to tracked down a problem?
ASKER
100% sure not a mapped drive or existing network connection. In couple of cases we had cleaned stored credentials on the affected workstation and it fixed problems. We have also notice d lots of kerberos pre-authentication failed errors (event 5771) and account was logged off (event 4634). We enabled "Do not require kerberos pre-authentication" on 2 accounts and it fixed a problem - not a single lockout.
Stored credentials always becomes an issue after password changes as well as activesync devices which will require passwords to be changed.
ASKER
100% right, but in this case we've cleared all stored credentials and activesync is not an issue in this case (we do not host our exchange and just preparing to implement federation).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://sourceforge.net/projects/adlockouts/