Did you ever find out what was locking the account?

I am having almost the exact same issues. LockoutStatus shows that a remote DC is thw "workstation" which is locking the account. I am getting event errors 675, Failure Code 0x12 which points to 127.0.0.1, and Event 539, Logon Type = 3(network logon) - where the workstation name IS the name of the domain controller (the event is being logged on the same DC as the supposed workstation), and Event 680, logon attempt by Microsoft_Authentication_Package_v1_0, error code c0000234 (too many login attempts). I think the 680 though is a red herring - I have seen it happen for other user id's and have not heard any issues.

I checked the services,tasks, registry, etc, same as you and could not find any reference to the account in question. I had already changed the password back to what it was before this whole mess started, and that has not helped.

This is a real stumper.

Thx for any info!

Joe







just bob wrote:

Hourly event locking account?
27-Mar-08

Ever since we changed all passwords in our 2003 AD we've tracked down all
the dependant services except one

According to the event logs a specific Domain Admin account is locked, every
hour at the exact same minute and the source "Caller Machine Name" is always
the same Windows Server 2003 SP2 Domain Controller at a remote location. The
minute value on which this locked-account event repeats will only change
when we reboot the server. i.e., at the moment it's happening every hour at
43 minutes past the hour, but before we did a series of reboots trying to
troubleshoot this the account would get locked at every 18 minutes after the
hour

This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
I've confirmed the only Internet connection allowed is outgoing UDP port 53

This DC is an HP DL380 G3 will all the latest HP firmware and software
management updates as of last week and we are current on all Microsoft "High
Priority" updates

On this specific DC in Computer Management I looked at the Services by
sorting by Log On As and found all services are set to logon as Local System
or Network Service. None are configured for a specific AD account. So I
believe the problem is not here

I did a search of the registry for the AD account name and found numerous
entries but they were exclusively related to that account performing Windows
updates a few weeks ago. However the account password did change since those
updates were done, so that has me wondering if that has anything to do with
it

I even went so far as to delete the profiles and all folders I could find
that were created by that account. And I uninstalled many applications which
were unnecessary to the functions of this server, and even uninstalled and
reinstalled some of the apps we did need. Later I logged on again as the
account and let it create a new profile hoping the DC would somehow
recognize the new password. And of course rebooted numerous times

I also used Task Manager to watch all the processes "by all users" while the
event happened as the account was locked at 43 minutes past the hour, hoping
to hit the PrintScreen button the moment it appears. It never appeared

I changed the Audit Polices to give more detailed information for security
event logging: Default Domain Policy | Computer Configuration | Windows
Settings | Security Settings | Local Policies | Audit Policies | set to
check for Success and Failures on all nine of the items in this subset. But
this did not prove any additional information that was useful

I am considering changing the password back to what it had been to see if
the problem goes away, however since then we've implemented password
complexity so now that password is not allowed. So I would have to turn off
the password complexity again. And of course change that password everywhere
else it is used. Phew

Please let me know if you know where else to look because at the moment I am
out of ideas

Thanks
-Bob

Previous Posts In This Thread:

Hourly event locking account?
Ever since we changed all passwords in our 2003 AD we've tracked down all
the dependant services except one.

According to the event logs a specific Domain Admin account is locked, every
hour at the exact same minute and the source "Caller Machine Name" is always
the same Windows Server 2003 SP2 Domain Controller at a remote location. The
minute value on which this locked-account event repeats will only change
when we reboot the server. i.e., at the moment it's happening every hour at
43 minutes past the hour, but before we did a series of reboots trying to
troubleshoot this the account would get locked at every 18 minutes after the
hour.

This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
I've confirmed the only Internet connection allowed is outgoing UDP port 53.

This DC is an HP DL380 G3 will all the latest HP firmware and software
management updates as of last week and we are current on all Microsoft "High
Priority" updates.

On this specific DC in Computer Management I looked at the Services by
sorting by Log On As and found all services are set to logon as Local System
or Network Service. None are configured for a specific AD account. So I
believe the problem is not here.

I did a search of the registry for the AD account name and found numerous
entries but they were exclusively related to that account performing Windows
updates a few weeks ago. However the account password did change since those
updates were done, so that has me wondering if that has anything to do with
it.

I even went so far as to delete the profiles and all folders I could find
that were created by that account. And I uninstalled many applications which
were unnecessary to the functions of this server, and even uninstalled and
reinstalled some of the apps we did need. Later I logged on again as the
account and let it create a new profile hoping the DC would somehow
recognize the new password. And of course rebooted numerous times.

I also used Task Manager to watch all the processes "by all users" while the
event happened as the account was locked at 43 minutes past the hour, hoping
to hit the PrintScreen button the moment it appears. It never appeared.

I changed the Audit Polices to give more detailed information for security
event logging: Default Domain Policy | Computer Configuration | Windows
Settings | Security Settings | Local Policies | Audit Policies | set to
check for Success and Failures on all nine of the items in this subset. But
this did not prove any additional information that was useful.

I am considering changing the password back to what it had been to see if
the problem goes away, however since then we've implemented password
complexity so now that password is not allowed. So I would have to turn off
the password complexity again. And of course change that password everywhere
else it is used. Phew.

Please let me know if you know where else to look because at the moment I am
out of ideas.

Thanks!
-Bob

What make you sure the process using the account is actually on the DC.
What make you sure the process using the account is actually on the DC. It
could be a scheduled event running elsewhere but authenticating to this
controller. Check other machines in the same AD site.

--
Hope it helps!

dw

----------------------------------------------
Don Wilwol
www.atthedatacenter.com




Is that not what the event message below tells me?
Is that not what the event message below tells me?

Security: NT AUTHORITY\SYSTEM:
User Account Locked Out:
Target Account Name: MYDOMADM Target Account ID:
%{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
MYDOMAIN Caller Logon ID: (0x0,0x3E7)

In the example above the account getting locked is called "MYDOMADM". The
"Caller Machine Name" is REMOTE1, the DC getting the event message..
Normally when an account gets locked by a user trying a bad password too
many times I get this exact same message and the Target Account Name is the
user and the "Caller Machine Nname" is the machine they tried to login to.
Simarly, if they try to access a network resource on a server with a bad
password too many times and lock the account, this event mesage will still
show the users machine name, and not the machine they were trying to connect
to, IIRC.

I hope that makes sense but I wonder if I missed the point of your post.

Thanks,
-Bob


Re: Hourly event locking account?
see if this helps
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


--
Hope it helps!

dw

----------------------------------------------
Don Wilwol
www.atthedatacenter.com




For whatever reason that adlockout.
For whatever reason that adlockout.dll tool made my Ops Master go crazy with
services crashing. I had to remove it from the registry and reboot and now
everything is fine. I did however install it on the remote DC and waited for
the lockout to occur, which it did, however there was no reference to the
account in the lockout debug file. I'm lost! But tomorrow I will try to read
some more about the tools available.

-Bob



Submitted via EggHeadCafe - Software Developer Portal of Choice
Developing Applications With Visual Studio.NET
http://www.eggheadcafe.com/tutorial...d-cd5e366a4ce3/developing-applications-w.aspx

 

Hello Joe,

You are replying to a more then 1 year old posting, so better create your
own new one use the microsoft newsgroups directly with a newsreader instead.

Even if your problem sounds the same a more detailed description about your
environment is helpful, how many DCs are in use, OS version and SP/patch
level etc.

Do you check your network with this article about conficker:
http://support.microsoft.com/kb/962007

Best regards

Meinolf Weber

 

I agree with Meinolf, that you should start a new thread, but below are some
troubleshooting tips:

Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626


--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

OK, this was a tough one, but Netlogon debugging assisted in tracking it down. For some reason, in DHCP Administrator, under properties, where the Update DNS dynamically is confgiured, there is a credentials button. I don't remember doing it, but my domain user id was listed as the credential to use. As soon as I typed over the password with what I had changed it to in AD, the lockout problem vanished.

First time I've ever seen this one.

Glad it's over.

Thanks for the suggestions and brain powered expended.

Have a good evening.

Joe



Paul Bergson [MVP-DS] wrote:

I agree with Meinolf, that you should start a new thread, but below are
06-Jan-10

I agree with Meinolf, that you should start a new thread, but below are som
troubleshooting tips

Is the account logged into more than one machine or is it running a servic
on the same machine? A user could have mapped drives to a resource from on
machine, on a different machine he changes his password and then the firs
machine attempts to stay mapped to a drive and the password is no longe
correct and eventually locks the user out. Or after a password is changed
service is running that attempts to authenticate with an old password

To help try and track down where the account is getting locked out us
eventcombMT.exe from the Account Lockout tools found out Microsoft'
website. Use the built in search AccountLockouts and search in the create
text files for the user in question

http://www.microsoft.com/downloads/...69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=e

You can also set the debug flag on NetLogon to track authentication. "Thi
creates a text file on the PDC that can be examined to determine whic
clients are generating the bad password attempts.
http://support.microsoft.com/kb/18954
http://support.microsoft.com/kb/10962

-
Paul Bergso
MVP - Directory Service
MCTS, MCT, MCSE, MCSA, Security+, BS CSc
2008, 2003, 2000 (Early Achiever), NT
Microsoft's Thrive IT Pro of the Month - June 200

http://www.pbbergs.co

Please no e-mails, any questions should be posted in the NewsGroup Thi
posting is provided "AS IS" with no warranties, and confers no rights.

Previous Posts In This Thread:


Submitted via EggHeadCafe - Software Developer Portal of Choice
ASP/VBScript Timer Class
http://www.eggheadcafe.com/tutorial...7e2-ad365eda71c7/aspvbscript-timer-class.aspx

 

For DHCP credentials, it is advised to use a separate non-domain admin
account, with a strong password. I would suggest to name it with something
more appropriate, such as DhcpCredentials, this way you know what the
account is for. There is no reason to use your account, and I assume that
your account is a domain admin account, which is not necessary, and can be a
security risk with an additional admin account floating around.

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum for collaboration benefit among
responding engineers, and to help others benefit from your resolution.

Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP - Directory Services

If you feel this is an urgent issue and require immediate assistance, please
contact Microsoft PSS directly. Please check http://support.microsoft.com
for regional support phone numbers.

 

Agree

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4
Microsoft's Thrive IT Pro of the Month - June 2009

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup This
posting is provided "AS IS" with no warranties, and confers no rights.

 

Hi
You should use a regular service account for that purpose, generally is
created an account with non-expiring password for that.

--

I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MVP Directory Services

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.