Did you ever find out what was locking the account?

I am having almost the exact same issues. LockoutStatus shows that a remote DC is thw "workstation" which is locking the account. I am getting event errors 675, Failure Code 0x12 which points to 127.0.0.1, and Event 539, Logon Type = 3(network logon) - where the workstation name IS the name of the domain controller (the event is being logged on the same DC as the supposed workstation), and Event 680, logon attempt by Microsoft_Authentication_Package_v1_0, error code c0000234 (too many login attempts). I think the 680 though is a red herring - I have seen it happen for other user id's and have not heard any issues.

I checked the services,tasks, registry, etc, same as you and could not find any reference to the account in question. I had already changed the password back to what it was before this whole mess started, and that has not helped.

This is a real stumper.

Thx for any info!

Joe







just bob wrote:

Hourly event locking account?
27-Mar-08

Ever since we changed all passwords in our 2003 AD we've tracked down all
the dependant services except one

According to the event logs a specific Domain Admin account is locked, every
hour at the exact same minute and the source "Caller Machine Name" is always
the same Windows Server 2003 SP2 Domain Controller at a remote location. The
minute value on which this locked-account event repeats will only change
when we reboot the server. i.e., at the moment it's happening every hour at
43 minutes past the hour, but before we did a series of reboots trying to
troubleshoot this the account would get locked at every 18 minutes after the
hour

This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
I've confirmed the only Internet connection allowed is outgoing UDP port 53

This DC is an HP DL380 G3 will all the latest HP firmware and software
management updates as of last week and we are current on all Microsoft "High
Priority" updates

On this specific DC in Computer Management I looked at the Services by
sorting by Log On As and found all services are set to logon as Local System
or Network Service. None are configured for a specific AD account. So I
believe the problem is not here

I did a search of the registry for the AD account name and found numerous
entries but they were exclusively related to that account performing Windows
updates a few weeks ago. However the account password did change since those
updates were done, so that has me wondering if that has anything to do with
it

I even went so far as to delete the profiles and all folders I could find
that were created by that account. And I uninstalled many applications which
were unnecessary to the functions of this server, and even uninstalled and
reinstalled some of the apps we did need. Later I logged on again as the
account and let it create a new profile hoping the DC would somehow
recognize the new password. And of course rebooted numerous times

I also used Task Manager to watch all the processes "by all users" while the
event happened as the account was locked at 43 minutes past the hour, hoping
to hit the PrintScreen button the moment it appears. It never appeared

I changed the Audit Polices to give more detailed information for security
event logging: Default Domain Policy | Computer Configuration | Windows
Settings | Security Settings | Local Policies | Audit Policies | set to
check for Success and Failures on all nine of the items in this subset. But
this did not prove any additional information that was useful

I am considering changing the password back to what it had been to see if
the problem goes away, however since then we've implemented password
complexity so now that password is not allowed. So I would have to turn off
the password complexity again. And of course change that password everywhere
else it is used. Phew

Please let me know if you know where else to look because at the moment I am
out of ideas

Thanks
-Bob

Previous Posts In This Thread:

On Thursday, March 27, 2008 2:06 PM
just bob wrote:

Hourly event locking account?
Ever since we changed all passwords in our 2003 AD we've tracked down all
the dependant services except one.

According to the event logs a specific Domain Admin account is locked, every
hour at the exact same minute and the source "Caller Machine Name" is always
the same Windows Server 2003 SP2 Domain Controller at a remote location. The
minute value on which this locked-account event repeats will only change
when we reboot the server. i.e., at the moment it's happening every hour at
43 minutes past the hour, but before we did a series of reboots trying to
troubleshoot this the account would get locked at every 18 minutes after the
hour.

This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
I've confirmed the only Internet connection allowed is outgoing UDP port 53.

This DC is an HP DL380 G3 will all the latest HP firmware and software
management updates as of last week and we are current on all Microsoft "High
Priority" updates.

On this specific DC in Computer Management I looked at the Services by
sorting by Log On As and found all services are set to logon as Local System
or Network Service. None are configured for a specific AD account. So I
believe the problem is not here.

I did a search of the registry for the AD account name and found numerous
entries but they were exclusively related to that account performing Windows
updates a few weeks ago. However the account password did change since those
updates were done, so that has me wondering if that has anything to do with
it.

I even went so far as to delete the profiles and all folders I could find
that were created by that account. And I uninstalled many applications which
were unnecessary to the functions of this server, and even uninstalled and
reinstalled some of the apps we did need. Later I logged on again as the
account and let it create a new profile hoping the DC would somehow
recognize the new password. And of course rebooted numerous times.

I also used Task Manager to watch all the processes "by all users" while the
event happened as the account was locked at 43 minutes past the hour, hoping
to hit the PrintScreen button the moment it appears. It never appeared.

I changed the Audit Polices to give more detailed information for security
event logging: Default Domain Policy | Computer Configuration | Windows
Settings | Security Settings | Local Policies | Audit Policies | set to
check for Success and Failures on all nine of the items in this subset. But
this did not prove any additional information that was useful.

I am considering changing the password back to what it had been to see if
the problem goes away, however since then we've implemented password
complexity so now that password is not allowed. So I would have to turn off
the password complexity again. And of course change that password everywhere
else it is used. Phew.

Please let me know if you know where else to look because at the moment I am
out of ideas.

Thanks!
-Bob

On Thursday, March 27, 2008 3:30 PM
Don Wilwol wrote:

What make you sure the process using the account is actually on the DC.
What make you sure the process using the account is actually on the DC. It
could be a scheduled event running elsewhere but authenticating to this
controller. Check other machines in the same AD site.

--
Hope it helps!

dw

----------------------------------------------
Don Wilwol
www.atthedatacenter.com



"just bob" <kilbyfan@aoldotcom> wrote in message
news:...

On Thursday, March 27, 2008 4:38 PM
just bob wrote:

Is that not what the event message below tells me?
Is that not what the event message below tells me?

Security: NT AUTHORITY\SYSTEM:
User Account Locked Out:
Target Account Name: MYDOMADM Target Account ID:
%{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
MYDOMAIN Caller Logon ID: (0x0,0x3E7)

In the example above the account getting locked is called "MYDOMADM". The
"Caller Machine Name" is REMOTE1, the DC getting the event message..
Normally when an account gets locked by a user trying a bad password too
many times I get this exact same message and the Target Account Name is the
user and the "Caller Machine Nname" is the machine they tried to login to.
Simarly, if they try to access a network resource on a server with a bad
password too many times and lock the account, this event mesage will still
show the users machine name, and not the machine they were trying to connect
to, IIRC.

I hope that makes sense but I wonder if I missed the point of your post.

Thanks,
-Bob

"Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
news:%...

On Thursday, March 27, 2008 5:00 PM
Don Wilwol wrote:

Re: Hourly event locking account?
see if this helps
http://www.microsoft.com/downloads/d...displaylang=en


--
Hope it helps!

dw

----------------------------------------------
Don Wilwol
www.atthedatacenter.com



"just bob" <kilbyfan@aoldotcom> wrote in message
news:...

On Friday, March 28, 2008 12:00 AM
just bob wrote:

For whatever reason that adlockout.
For whatever reason that adlockout.dll tool made my Ops Master go crazy with
services crashing. I had to remove it from the registry and reboot and now
everything is fine. I did however install it on the remote DC and waited for
the lockout to occur, which it did, however there was no reference to the
account in the lockout debug file. I'm lost! But tomorrow I will try to read
some more about the tools available.

-Bob

"Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
news:%...


Submitted via EggHeadCafe - Software Developer Portal of Choice
Developing Applications With Visual Studio.NET
http://www.eggheadcafe.com/tutorials...cations-w.aspx

Hello Joe,

You are replying to a more then 1 year old posting, so better create your
own new one use the microsoft newsgroups directly with a newsreader instead.

Even if your problem sounds the same a more detailed description about your
environment is helpful, how many DCs are in use, OS version and SP/patch
level etc.

Do you check your network with this article about conficker:
http://support.microsoft.com/kb/962007

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> I am having almost the exact same issues. LockoutStatus shows that a
> remote DC is thw "workstation" which is locking the account. I am
> getting event errors 675, Failure Code 0x12 which points to 127.0.0.1,
> and Event 539, Logon Type = 3(network logon) - where the workstation
> name IS the name of the domain controller (the event is being logged
> on the same DC as the supposed workstation), and Event 680, logon
> attempt by Microsoft_Authentication_Package_v1_0, error code c0000234
> (too many login attempts). I think the 680 though is a red herring - I
> have seen it happen for other user id's and have not heard any issues.
>
> I checked the services,tasks, registry, etc, same as you and could not
> find any reference to the account in question. I had already changed
> the password back to what it was before this whole mess started, and
> that has not helped.
>
> This is a real stumper.
>
> Thx for any info!
>
> Joe
>
>
>
> just bob wrote:
>
> Hourly event locking account?
> 27-Mar-08
> Ever since we changed all passwords in our 2003 AD we've tracked down
> all the dependant services except one.
>
> According to the event logs a specific Domain Admin account is locked,
> every hour at the exact same minute and the source "Caller Machine
> Name" is always the same Windows Server 2003 SP2 Domain Controller at
> a remote location. The minute value on which this locked-account event
> repeats will only change when we reboot the server. i.e., at the
> moment it's happening every hour at 43 minutes past the hour, but
> before we did a series of reboots trying to troubleshoot this the
> account would get locked at every 18 minutes after the hour.
>
> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS
> and I've confirmed the only Internet connection allowed is outgoing
> UDP port 53.
>
> This DC is an HP DL380 G3 will all the latest HP firmware and software
> management updates as of last week and we are current on all Microsoft
> "High Priority" updates.
>
> On this specific DC in Computer Management I looked at the Services by
> sorting by Log On As and found all services are set to logon as Local
> System or Network Service. None are configured for a specific AD
> account. So I believe the problem is not here.
>
> I did a search of the registry for the AD account name and found
> numerous entries but they were exclusively related to that account
> performing Windows updates a few weeks ago. However the account
> password did change since those updates were done, so that has me
> wondering if that has anything to do with it.
>
> I even went so far as to delete the profiles and all folders I could
> find that were created by that account. And I uninstalled many
> applications which were unnecessary to the functions of this server,
> and even uninstalled and reinstalled some of the apps we did need.
> Later I logged on again as the account and let it create a new profile
> hoping the DC would somehow recognize the new password. And of course
> rebooted numerous times.
>
> I also used Task Manager to watch all the processes "by all users"
> while the event happened as the account was locked at 43 minutes past
> the hour, hoping to hit the PrintScreen button the moment it appears.
> It never appeared.
>
> I changed the Audit Polices to give more detailed information for
> security event logging: Default Domain Policy | Computer Configuration
> | Windows Settings | Security Settings | Local Policies | Audit
> Policies | set to check for Success and Failures on all nine of the
> items in this subset. But this did not prove any additional
> information that was useful.
>
> I am considering changing the password back to what it had been to see
> if the problem goes away, however since then we've implemented
> password complexity so now that password is not allowed. So I would
> have to turn off the password complexity again. And of course change
> that password everywhere else it is used. Phew.
>
> Please let me know if you know where else to look because at the
> moment I am out of ideas.
>
> Thanks!
> -Bob
> Previous Posts In This Thread:
>
> On Thursday, March 27, 2008 2:06 PM
> just bob wrote:
> Hourly event locking account?
> Ever since we changed all passwords in our 2003 AD we've tracked down
> all
> the dependant services except one.
> According to the event logs a specific Domain Admin account is locked,
> every hour at the exact same minute and the source "Caller Machine
> Name" is always the same Windows Server 2003 SP2 Domain Controller at
> a remote location. The minute value on which this locked-account event
> repeats will only change when we reboot the server. i.e., at the
> moment it's happening every hour at 43 minutes past the hour, but
> before we did a series of reboots trying to troubleshoot this the
> account would get locked at every 18 minutes after the hour.
>
> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS
> and I've confirmed the only Internet connection allowed is outgoing
> UDP port 53.
>
> This DC is an HP DL380 G3 will all the latest HP firmware and software
> management updates as of last week and we are current on all Microsoft
> "High Priority" updates.
>
> On this specific DC in Computer Management I looked at the Services by
> sorting by Log On As and found all services are set to logon as Local
> System or Network Service. None are configured for a specific AD
> account. So I believe the problem is not here.
>
> I did a search of the registry for the AD account name and found
> numerous entries but they were exclusively related to that account
> performing Windows updates a few weeks ago. However the account
> password did change since those updates were done, so that has me
> wondering if that has anything to do with it.
>
> I even went so far as to delete the profiles and all folders I could
> find that were created by that account. And I uninstalled many
> applications which were unnecessary to the functions of this server,
> and even uninstalled and reinstalled some of the apps we did need.
> Later I logged on again as the account and let it create a new profile
> hoping the DC would somehow recognize the new password. And of course
> rebooted numerous times.
>
> I also used Task Manager to watch all the processes "by all users"
> while the event happened as the account was locked at 43 minutes past
> the hour, hoping to hit the PrintScreen button the moment it appears.
> It never appeared.
>
> I changed the Audit Polices to give more detailed information for
> security event logging: Default Domain Policy | Computer Configuration
> | Windows Settings | Security Settings | Local Policies | Audit
> Policies | set to check for Success and Failures on all nine of the
> items in this subset. But this did not prove any additional
> information that was useful.
>
> I am considering changing the password back to what it had been to see
> if the problem goes away, however since then we've implemented
> password complexity so now that password is not allowed. So I would
> have to turn off the password complexity again. And of course change
> that password everywhere else it is used. Phew.
>
> Please let me know if you know where else to look because at the
> moment I am out of ideas.
>
> Thanks!
> -Bob
> On Thursday, March 27, 2008 3:30 PM
> Don Wilwol wrote:
> What make you sure the process using the account is actually on the
> DC. What make you sure the process using the account is actually on
> the DC. It could be a scheduled event running elsewhere but
> authenticating to this controller. Check other machines in the same AD
> site.
>
> dw
>
> ----------------------------------------------
> Don Wilwol
> www.atthedatacenter.com
> "just bob" <kilbyfan@aoldotcom> wrote in message
> news:...
>
> On Thursday, March 27, 2008 4:38 PM
> just bob wrote:
> Is that not what the event message below tells me? Is that not what
> the event message below tells me?
>
> Security: NT AUTHORITY\SYSTEM:
> User Account Locked Out:
> Target Account Name: MYDOMADM Target Account ID:
> %{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
> Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
> MYDOMAIN Caller Logon ID: (0x0,0x3E7)
> In the example above the account getting locked is called "MYDOMADM".
> The "Caller Machine Name" is REMOTE1, the DC getting the event
> message.. Normally when an account gets locked by a user trying a bad
> password too many times I get this exact same message and the Target
> Account Name is the user and the "Caller Machine Nname" is the machine
> they tried to login to. Simarly, if they try to access a network
> resource on a server with a bad password too many times and lock the
> account, this event mesage will still show the users machine name, and
> not the machine they were trying to connect to, IIRC.
>
> I hope that makes sense but I wonder if I missed the point of your
> post.
>
> Thanks,
> -Bob
> "Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
> news:%...
>
> On Thursday, March 27, 2008 5:00 PM
> Don Wilwol wrote:
> Re: Hourly event locking account?
> see if this helps
> http://www.microsoft.com/downloads/d...=7AF2E69C-91F3
> -4E63-8629-B999ADDE0B9E&displaylang=en
> dw
>
> ----------------------------------------------
> Don Wilwol
> www.atthedatacenter.com
> "just bob" <kilbyfan@aoldotcom> wrote in message
> news:...
>
> On Friday, March 28, 2008 12:00 AM
> just bob wrote:
> For whatever reason that adlockout.
> For whatever reason that adlockout.dll tool made my Ops Master go
> crazy with
> services crashing. I had to remove it from the registry and reboot and
> now
> everything is fine. I did however install it on the remote DC and
> waited for
> the lockout to occur, which it did, however there was no reference to
> the
> account in the lockout debug file. I'm lost! But tomorrow I will try
> to read
> some more about the tools available.
> -Bob
>
> "Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
> news:%...
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
>
> Developing Applications With Visual Studio.NET
>
> http://www.eggheadcafe.com/tutorials...b-4f26-adcd-cd
> 5e366a4ce3/developing-applications-w.aspx
>

I agree with Meinolf, that you should start a new thread, but below are some
troubleshooting tips:

Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/d...displaylang=en


You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

<Joe Glim> wrote in message news:...
>I am having almost the exact same issues. LockoutStatus shows that a remote
>DC is thw "workstation" which is locking the account. I am getting event
>errors 675, Failure Code 0x12 which points to 127.0.0.1, and Event 539,
>Logon Type = 3(network logon) - where the workstation name IS the name of
>the domain controller (the event is being logged on the same DC as the
>supposed workstation), and Event 680, logon attempt by
>Microsoft_Authentication_Package_v1_0, error code c0000234 (too many login
>attempts). I think the 680 though is a red herring - I have seen it happen
>for other user id's and have not heard any issues.
>
> I checked the services,tasks, registry, etc, same as you and could not
> find any reference to the account in question. I had already changed the
> password back to what it was before this whole mess started, and that has
> not helped.
>
> This is a real stumper.
>
> Thx for any info!
>
> Joe
>
>
>
>
>
>
>
> just bob wrote:
>
> Hourly event locking account?
> 27-Mar-08
>
> Ever since we changed all passwords in our 2003 AD we've tracked down all
> the dependant services except one.
>
> According to the event logs a specific Domain Admin account is locked,
> every
> hour at the exact same minute and the source "Caller Machine Name" is
> always
> the same Windows Server 2003 SP2 Domain Controller at a remote location.
> The
> minute value on which this locked-account event repeats will only change
> when we reboot the server. i.e., at the moment it's happening every hour
> at
> 43 minutes past the hour, but before we did a series of reboots trying to
> troubleshoot this the account would get locked at every 18 minutes after
> the
> hour.
>
> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
> I've confirmed the only Internet connection allowed is outgoing UDP port
> 53.
>
> This DC is an HP DL380 G3 will all the latest HP firmware and software
> management updates as of last week and we are current on all Microsoft
> "High
> Priority" updates.
>
> On this specific DC in Computer Management I looked at the Services by
> sorting by Log On As and found all services are set to logon as Local
> System
> or Network Service. None are configured for a specific AD account. So I
> believe the problem is not here.
>
> I did a search of the registry for the AD account name and found numerous
> entries but they were exclusively related to that account performing
> Windows
> updates a few weeks ago. However the account password did change since
> those
> updates were done, so that has me wondering if that has anything to do
> with
> it.
>
> I even went so far as to delete the profiles and all folders I could find
> that were created by that account. And I uninstalled many applications
> which
> were unnecessary to the functions of this server, and even uninstalled and
> reinstalled some of the apps we did need. Later I logged on again as the
> account and let it create a new profile hoping the DC would somehow
> recognize the new password. And of course rebooted numerous times.
>
> I also used Task Manager to watch all the processes "by all users" while
> the
> event happened as the account was locked at 43 minutes past the hour,
> hoping
> to hit the PrintScreen button the moment it appears. It never appeared.
>
> I changed the Audit Polices to give more detailed information for security
> event logging: Default Domain Policy | Computer Configuration | Windows
> Settings | Security Settings | Local Policies | Audit Policies | set to
> check for Success and Failures on all nine of the items in this subset.
> But
> this did not prove any additional information that was useful.
>
> I am considering changing the password back to what it had been to see if
> the problem goes away, however since then we've implemented password
> complexity so now that password is not allowed. So I would have to turn
> off
> the password complexity again. And of course change that password
> everywhere
> else it is used. Phew.
>
> Please let me know if you know where else to look because at the moment I
> am
> out of ideas.
>
> Thanks!
> -Bob
>
> Previous Posts In This Thread:
>
> On Thursday, March 27, 2008 2:06 PM
> just bob wrote:
>
> Hourly event locking account?
> Ever since we changed all passwords in our 2003 AD we've tracked down all
> the dependant services except one.
>
> According to the event logs a specific Domain Admin account is locked,
> every
> hour at the exact same minute and the source "Caller Machine Name" is
> always
> the same Windows Server 2003 SP2 Domain Controller at a remote location.
> The
> minute value on which this locked-account event repeats will only change
> when we reboot the server. i.e., at the moment it's happening every hour
> at
> 43 minutes past the hour, but before we did a series of reboots trying to
> troubleshoot this the account would get locked at every 18 minutes after
> the
> hour.
>
> This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
> I've confirmed the only Internet connection allowed is outgoing UDP port
> 53.
>
> This DC is an HP DL380 G3 will all the latest HP firmware and software
> management updates as of last week and we are current on all Microsoft
> "High
> Priority" updates.
>
> On this specific DC in Computer Management I looked at the Services by
> sorting by Log On As and found all services are set to logon as Local
> System
> or Network Service. None are configured for a specific AD account. So I
> believe the problem is not here.
>
> I did a search of the registry for the AD account name and found numerous
> entries but they were exclusively related to that account performing
> Windows
> updates a few weeks ago. However the account password did change since
> those
> updates were done, so that has me wondering if that has anything to do
> with
> it.
>
> I even went so far as to delete the profiles and all folders I could find
> that were created by that account. And I uninstalled many applications
> which
> were unnecessary to the functions of this server, and even uninstalled and
> reinstalled some of the apps we did need. Later I logged on again as the
> account and let it create a new profile hoping the DC would somehow
> recognize the new password. And of course rebooted numerous times.
>
> I also used Task Manager to watch all the processes "by all users" while
> the
> event happened as the account was locked at 43 minutes past the hour,
> hoping
> to hit the PrintScreen button the moment it appears. It never appeared.
>
> I changed the Audit Polices to give more detailed information for security
> event logging: Default Domain Policy | Computer Configuration | Windows
> Settings | Security Settings | Local Policies | Audit Policies | set to
> check for Success and Failures on all nine of the items in this subset.
> But
> this did not prove any additional information that was useful.
>
> I am considering changing the password back to what it had been to see if
> the problem goes away, however since then we've implemented password
> complexity so now that password is not allowed. So I would have to turn
> off
> the password complexity again. And of course change that password
> everywhere
> else it is used. Phew.
>
> Please let me know if you know where else to look because at the moment I
> am
> out of ideas.
>
> Thanks!
> -Bob
>
> On Thursday, March 27, 2008 3:30 PM
> Don Wilwol wrote:
>
> What make you sure the process using the account is actually on the DC.
> What make you sure the process using the account is actually on the DC. It
> could be a scheduled event running elsewhere but authenticating to this
> controller. Check other machines in the same AD site.
>
> --
> Hope it helps!
>
> dw
>
> ----------------------------------------------
> Don Wilwol
> www.atthedatacenter.com
>
>
>
> "just bob" <kilbyfan@aoldotcom> wrote in message
> news:...
>
> On Thursday, March 27, 2008 4:38 PM
> just bob wrote:
>
> Is that not what the event message below tells me?
> Is that not what the event message below tells me?
>
> Security: NT AUTHORITY\SYSTEM:
> User Account Locked Out:
> Target Account Name: MYDOMADM Target Account ID:
> %{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
> Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
> MYDOMAIN Caller Logon ID: (0x0,0x3E7)
>
> In the example above the account getting locked is called "MYDOMADM". The
> "Caller Machine Name" is REMOTE1, the DC getting the event message..
> Normally when an account gets locked by a user trying a bad password too
> many times I get this exact same message and the Target Account Name is
> the
> user and the "Caller Machine Nname" is the machine they tried to login to.
> Simarly, if they try to access a network resource on a server with a bad
> password too many times and lock the account, this event mesage will still
> show the users machine name, and not the machine they were trying to
> connect
> to, IIRC.
>
> I hope that makes sense but I wonder if I missed the point of your post.
>
> Thanks,
> -Bob
>
> "Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
> news:%...
>
> On Thursday, March 27, 2008 5:00 PM
> Don Wilwol wrote:
>
> Re: Hourly event locking account?
> see if this helps
> http://www.microsoft.com/downloads/d...displaylang=en
>
>
> --
> Hope it helps!
>
> dw
>
> ----------------------------------------------
> Don Wilwol
> www.atthedatacenter.com
>
>
>
> "just bob" <kilbyfan@aoldotcom> wrote in message
> news:...
>
> On Friday, March 28, 2008 12:00 AM
> just bob wrote:
>
> For whatever reason that adlockout.
> For whatever reason that adlockout.dll tool made my Ops Master go crazy
> with
> services crashing. I had to remove it from the registry and reboot and now
> everything is fine. I did however install it on the remote DC and waited
> for
> the lockout to occur, which it did, however there was no reference to the
> account in the lockout debug file. I'm lost! But tomorrow I will try to
> read
> some more about the tools available.
>
> -Bob
>
> "Don Wilwol" <donWilwol@(EMAIL)yahoo.com> wrote in message
> news:%...
>
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
> Developing Applications With Visual Studio.NET
> http://www.eggheadcafe.com/tutorials...cations-w.aspx

OK, this was a tough one, but Netlogon debugging assisted in tracking it down. For some reason, in DHCP Administrator, under properties, where the Update DNS dynamically is confgiured, there is a credentials button. I don't remember doing it, but my domain user id was listed as the credential to use. As soon as I typed over the password with what I had changed it to in AD, the lockout problem vanished.

First time I've ever seen this one.

Glad it's over.

Thanks for the suggestions and brain powered expended.

Have a good evening.

Joe



Paul Bergson [MVP-DS] wrote:

I agree with Meinolf, that you should start a new thread, but below are
06-Jan-10

I agree with Meinolf, that you should start a new thread, but below are som
troubleshooting tips

Is the account logged into more than one machine or is it running a servic
on the same machine? A user could have mapped drives to a resource from on
machine, on a different machine he changes his password and then the firs
machine attempts to stay mapped to a drive and the password is no longe
correct and eventually locks the user out. Or after a password is changed
service is running that attempts to authenticate with an old password

To help try and track down where the account is getting locked out us
eventcombMT.exe from the Account Lockout tools found out Microsoft'
website. Use the built in search AccountLockouts and search in the create
text files for the user in question

http://www.microsoft.com/downloads/d...&displaylang=e

You can also set the debug flag on NetLogon to track authentication. "Thi
creates a text file on the PDC that can be examined to determine whic
clients are generating the bad password attempts.
http://support.microsoft.com/kb/18954
http://support.microsoft.com/kb/10962

-
Paul Bergso
MVP - Directory Service
MCTS, MCT, MCSE, MCSA, Security+, BS CSc
2008, 2003, 2000 (Early Achiever), NT
Microsoft's Thrive IT Pro of the Month - June 200

http://www.pbbergs.co

Please no e-mails, any questions should be posted in the NewsGroup Thi
posting is provided "AS IS" with no warranties, and confers no rights.

Previous Posts In This Thread:


Submitted via EggHeadCafe - Software Developer Portal of Choice
ASP/VBScript Timer Class
http://www.eggheadcafe.com/tutorials...mer-class.aspx

"Joe Glim" wrote in message news:...

> OK, this was a tough one, but Netlogon debugging assisted in tracking it
> down. For some reason, in DHCP Administrator, under properties, where the
> Update DNS dynamically is confgiured, there is a credentials button. I
> don't remember doing it, but my domain user id was listed as the
> credential to use. As soon as I typed over the password with what I had
> changed it to in AD, the lockout problem vanished.
>
> First time I've ever seen this one.
>
> Glad it's over.
>
> Thanks for the suggestions and brain powered expended.
>
> Have a good evening.
>
> Joe
>

For DHCP credentials, it is advised to use a separate non-domain admin
account, with a strong password. I would suggest to name it with something
more appropriate, such as DhcpCredentials, this way you know what the
account is for. There is no reason to use your account, and I assume that
your account is a domain admin account, which is not necessary, and can be a
security risk with an additional admin account floating around.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

Agree

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

"Ace Fekay [MVP-DS, MCT]" <> wrote in message
news:...
> "Joe Glim" wrote in message news:...
>
>> OK, this was a tough one, but Netlogon debugging assisted in tracking it
>> down. For some reason, in DHCP Administrator, under properties, where the
>> Update DNS dynamically is confgiured, there is a credentials button. I
>> don't remember doing it, but my domain user id was listed as the
>> credential to use. As soon as I typed over the password with what I had
>> changed it to in AD, the lockout problem vanished.
>>
>> First time I've ever seen this one.
>>
>> Glad it's over.
>>
>> Thanks for the suggestions and brain powered expended.
>>
>> Have a good evening.
>>
>> Joe
>>
>
> For DHCP credentials, it is advised to use a separate non-domain admin
> account, with a strong password. I would suggest to name it with something
> more appropriate, such as DhcpCredentials, this way you know what the
> account is for. There is no reason to use your account, and I assume that
> your account is a domain admin account, which is not necessary, and can be
> a security risk with an additional admin account floating around.
>
> --
> Ace
>
> This posting is provided "AS-IS" with no warranties or guarantees and
> confers no rights.
>
> Please reply back to the newsgroup or forum for collaboration benefit
> among responding engineers, and to help others benefit from your
> resolution.
>
> Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
> MCSA 2003/2000, MCSA Messaging 2003
> Microsoft Certified Trainer
> Microsoft MVP - Directory Services
>
> If you feel this is an urgent issue and require immediate assistance,
> please contact Microsoft PSS directly. Please check
> http://support.microsoft.com for regional support phone numbers.
>

Hi
You should use a regular service account for that purpose, generally is
created an account with non-expiring password for that.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.




"Joe Glim" wrote in message news:...
> OK, this was a tough one, but Netlogon debugging assisted in tracking it
> down. For some reason, in DHCP Administrator, under properties, where the
> Update DNS dynamically is confgiured, there is a credentials button. I
> don't remember doing it, but my domain user id was listed as the
> credential to use. As soon as I typed over the password with what I had
> changed it to in AD, the lockout problem vanished.
>
> First time I've ever seen this one.
>
> Glad it's over.
>
> Thanks for the suggestions and brain powered expended.
>
> Have a good evening.
>
> Joe
>
>
>
> Paul Bergson [MVP-DS] wrote:
>
> I agree with Meinolf, that you should start a new thread, but below are
> 06-Jan-10
>
> I agree with Meinolf, that you should start a new thread, but below are
> some
> troubleshooting tips:
>
> Is the account logged into more than one machine or is it running a
> service
> on the same machine? A user could have mapped drives to a resource from
> one
> machine, on a different machine he changes his password and then the first
> machine attempts to stay mapped to a drive and the password is no longer
> correct and eventually locks the user out. Or after a password is changed
> a
> service is running that attempts to authenticate with an old password.
>
> To help try and track down where the account is getting locked out use
> eventcombMT.exe from the Account Lockout tools found out Microsoft's
> website. Use the built in search AccountLockouts and search in the created
> text files for the user in question.
>
> http://www.microsoft.com/downloads/d...displaylang=en
>
>
> You can also set the debug flag on NetLogon to track authentication. "This
> creates a text file on the PDC that can be examined to determine which
> clients are generating the bad password attempts."
> http://support.microsoft.com/kb/189541
> http://support.microsoft.com/kb/109626
>
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
> Microsoft's Thrive IT Pro of the Month - June 2009
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup This
> posting is provided "AS IS" with no warranties, and confers no rights.
>
> Previous Posts In This Thread:
>
>
> Submitted via EggHeadCafe - Software Developer Portal of Choice
> ASP/VBScript Timer Class
> http://www.eggheadcafe.com/tutorials...mer-class.aspx