AD accounts randomly locking on 1st login attempt

Discussion in 'Active Directory' started by Mike G, May 22, 2008.

  1. Mike G

    Mike G Guest

    I have several users that may or may not have an issue when they log into
    their laptops using their AD accounts. On the first attempt the user will
    get an error that the password/username they entered is incorrect. On the
    second attempt they be notified their account is locked. This is not
    happening for all users, only certain ones at random. I have verified the
    lockout policy is set for 3 attempts. When i looked at one of the user's
    security event logs I noticed the following 3 events:

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 05/20/2008
    Time: 6:10:02 AM
    User: NT AUTHORITY\SYSTEM
    Computer: LAP-41614
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Smithj
    Domain: ENTERPRISE
    Logon Type: 2
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: LAP-41614

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 05/20/2008
    Time: 6:10:02 AM
    User: NT AUTHORITY\SYSTEM
    Computer: LAP-41614
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Smithj
    Domain: ENTERPRISE
    Logon Type: 11
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: LAP-41614

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 529
    Date: 05/20/2008
    Time: 6:10:02 AM
    User: NT AUTHORITY\SYSTEM
    Computer: LAP-41614
    Description:
    Logon Failure:
    Reason: Unknown user name or bad password
    User Name: Smithj
    Domain: ENTERPRISE
    Logon Type: 2
    Logon Process: User32
    Authentication Package: Negotiate
    Workstation Name: LAP-41614

    I pasted these in chronological order as displayed the the event viewer.
    The next event reports the account is locked. Notice that these 3 all
    occured at the same time. I did some research into the logon processes
    mentioned and found that Advapi (not to be confused with Advapi32) could be
    spyware and thus the cause. However, I am sure the Advapi mentioned is legit
    as I checked several other PCs w/ no issues and found this same process
    mentioned in those security event logs. Also this laptop in question is one
    that was built and deployed to the user less than a day prior so, it is hard
    to believe they went somewhere and got it. I also checked the user32 logon
    process and found user32.exe is a known trojan. I scanned the laptop but
    could not find any traces of it. Also like I mentioned prior, this is a
    recently built laptop and it is hard to believe it is a trojan. I am certain
    the user32 listed is actually user32.dll which appears to be a legit dll.

    I checked several other users with these issues and found when their account
    locked the security event log reported the same events. I checked on the
    error listed event IDs and found ID 529 indicates the user tried to log in
    with an unknown account (duh) or bad password (double duh,) but it doesn't
    make any sense why windows is trying to log in 3 times on it's own in
    succession.

    All users are running XP Pro. I've verified the users have all the current
    windows patches to date, including SP3. I've tried having them try with and
    without a docking station, but none have worked. Does anyone have any
    suggestion on what else to try? I've been banging my head against the wall
    for a few weeks w/ no success.

    Thanks.
     
    Mike G, May 22, 2008
    #1
    1. Advertisements

  2. Mike G

    Jorge Silva Guest

    Hi
    Check if these accounts are being used in other sessions or services with
    old PWs.

    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 22, 2008
    #2
    1. Advertisements

  3. Is the account logged into more than one machine or is it running a service
    on the same machine? A user could have mapped drives to a resource from one
    machine, on a different machine he changes his password and then the first
    machine attempts to stay mapped to a drive and the password is no longer
    correct and eventually locks the user out. Or after a password is changed a
    service is running that attempts to authenticate with an old password.

    To help try and track down where the account is getting locked out use
    eventcombMT.exe from the Account Lockout tools found out Microsoft's
    website. Use the built in search AccountLockouts and search in the created
    text files for the user in question.

    http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


    You can also set the debug flag on NetLogon to track authentication. "This
    creates a text file on the PDC that can be examined to determine which
    clients are generating the bad password attempts."
    http://support.microsoft.com/kb/189541
    http://support.microsoft.com/kb/109626
     
    Paul Bergson [MVP-DS], May 22, 2008
    #3
  4. Mike G

    Mike G Guest

    Thanks for responding.

    The users are only and have been logging into one machine at a time (their
    own.) They have several mapped network drives, and access to them relies on
    their one and only AD account. To be even more specific, any network
    resource a user accesses is governed by one AD account per user and are all
    on the same domain. Some users may have reset their AD password due to it
    expiring because of the password policies, but all have logged off and cold
    booted their machines at some point since then.

    I tried using eventcombMT.exe but when searching, it is resolving the DCs
    but the search contents are not reporting any events. For this to work am I
    right in assuming debugging for NETLOGON on each DC needs to be active?

    I will try to install alockout.dll to see if it will tell me what
    authentication attempts the machine is making when the user fails to enter
    their password correctly. Other than that are you aware of any other ways to
    see what the PC is doing during a logon attempt. As previously mentioned,
    when the user enters their password wrong on the 1st try after booting, the
    event log of the user's machine shows 3 failed attempts to log on for their
    actual one. Unfortunately the logs do not mention why they are doing it.

    Thanks,
    Mike
     
    Mike G, May 24, 2008
    #4
  5. Mike G

    Jorge Silva Guest

    What is the threshold before lock the PW? 3 sounds small, increase it for
    15/20 to avoid unnecessary pw locks.


    --
    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MCSE, MVP Directory Services
     
    Jorge Silva, May 26, 2008
    #5
  6. If there is only 1 attempt and it is locking out, there is something else
    going on. I can't tell you what but it has to be a service or a scheduled
    job, etc... I have used the eventcomb many times and it has always helped
    in tracking this down. I don't have much else for you, other than make sure
    you are pointing it to all of your dc's it will search more than one at a
    time.
     
    Paul Bergson [MVP-DS], May 27, 2008
    #6
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.