Did you ever find out what was locking the account?

Discussion in 'Active Directory' started by Joe Glim, Jan 6, 2010.

  1. Joe Glim

    Joe Glim Guest

    I am having almost the exact same issues. LockoutStatus shows that a remote DC is thw "workstation" which is locking the account. I am getting event errors 675, Failure Code 0x12 which points to 127.0.0.1, and Event 539, Logon Type = 3(network logon) - where the workstation name IS the name of the domain controller (the event is being logged on the same DC as the supposed workstation), and Event 680, logon attempt by Microsoft_Authentication_Package_v1_0, error code c0000234 (too many login attempts). I think the 680 though is a red herring - I have seen it happen for other user id's and have not heard any issues.

    I checked the services,tasks, registry, etc, same as you and could not find any reference to the account in question. I had already changed the password back to what it was before this whole mess started, and that has not helped.

    This is a real stumper.

    Thx for any info!

    Joe







    just bob wrote:

    Hourly event locking account?
    27-Mar-08

    Ever since we changed all passwords in our 2003 AD we've tracked down all
    the dependant services except one

    According to the event logs a specific Domain Admin account is locked, every
    hour at the exact same minute and the source "Caller Machine Name" is always
    the same Windows Server 2003 SP2 Domain Controller at a remote location. The
    minute value on which this locked-account event repeats will only change
    when we reboot the server. i.e., at the moment it's happening every hour at
    43 minutes past the hour, but before we did a series of reboots trying to
    troubleshoot this the account would get locked at every 18 minutes after the
    hour

    This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
    I've confirmed the only Internet connection allowed is outgoing UDP port 53

    This DC is an HP DL380 G3 will all the latest HP firmware and software
    management updates as of last week and we are current on all Microsoft "High
    Priority" updates

    On this specific DC in Computer Management I looked at the Services by
    sorting by Log On As and found all services are set to logon as Local System
    or Network Service. None are configured for a specific AD account. So I
    believe the problem is not here

    I did a search of the registry for the AD account name and found numerous
    entries but they were exclusively related to that account performing Windows
    updates a few weeks ago. However the account password did change since those
    updates were done, so that has me wondering if that has anything to do with
    it

    I even went so far as to delete the profiles and all folders I could find
    that were created by that account. And I uninstalled many applications which
    were unnecessary to the functions of this server, and even uninstalled and
    reinstalled some of the apps we did need. Later I logged on again as the
    account and let it create a new profile hoping the DC would somehow
    recognize the new password. And of course rebooted numerous times

    I also used Task Manager to watch all the processes "by all users" while the
    event happened as the account was locked at 43 minutes past the hour, hoping
    to hit the PrintScreen button the moment it appears. It never appeared

    I changed the Audit Polices to give more detailed information for security
    event logging: Default Domain Policy | Computer Configuration | Windows
    Settings | Security Settings | Local Policies | Audit Policies | set to
    check for Success and Failures on all nine of the items in this subset. But
    this did not prove any additional information that was useful

    I am considering changing the password back to what it had been to see if
    the problem goes away, however since then we've implemented password
    complexity so now that password is not allowed. So I would have to turn off
    the password complexity again. And of course change that password everywhere
    else it is used. Phew

    Please let me know if you know where else to look because at the moment I am
    out of ideas

    Thanks
    -Bob

    Previous Posts In This Thread:

    Hourly event locking account?
    Ever since we changed all passwords in our 2003 AD we've tracked down all
    the dependant services except one.

    According to the event logs a specific Domain Admin account is locked, every
    hour at the exact same minute and the source "Caller Machine Name" is always
    the same Windows Server 2003 SP2 Domain Controller at a remote location. The
    minute value on which this locked-account event repeats will only change
    when we reboot the server. i.e., at the moment it's happening every hour at
    43 minutes past the hour, but before we did a series of reboots trying to
    troubleshoot this the account would get locked at every 18 minutes after the
    hour.

    This DC sits behind a Cisco PIX firewall/VPN device with the latest OS and
    I've confirmed the only Internet connection allowed is outgoing UDP port 53.

    This DC is an HP DL380 G3 will all the latest HP firmware and software
    management updates as of last week and we are current on all Microsoft "High
    Priority" updates.

    On this specific DC in Computer Management I looked at the Services by
    sorting by Log On As and found all services are set to logon as Local System
    or Network Service. None are configured for a specific AD account. So I
    believe the problem is not here.

    I did a search of the registry for the AD account name and found numerous
    entries but they were exclusively related to that account performing Windows
    updates a few weeks ago. However the account password did change since those
    updates were done, so that has me wondering if that has anything to do with
    it.

    I even went so far as to delete the profiles and all folders I could find
    that were created by that account. And I uninstalled many applications which
    were unnecessary to the functions of this server, and even uninstalled and
    reinstalled some of the apps we did need. Later I logged on again as the
    account and let it create a new profile hoping the DC would somehow
    recognize the new password. And of course rebooted numerous times.

    I also used Task Manager to watch all the processes "by all users" while the
    event happened as the account was locked at 43 minutes past the hour, hoping
    to hit the PrintScreen button the moment it appears. It never appeared.

    I changed the Audit Polices to give more detailed information for security
    event logging: Default Domain Policy | Computer Configuration | Windows
    Settings | Security Settings | Local Policies | Audit Policies | set to
    check for Success and Failures on all nine of the items in this subset. But
    this did not prove any additional information that was useful.

    I am considering changing the password back to what it had been to see if
    the problem goes away, however since then we've implemented password
    complexity so now that password is not allowed. So I would have to turn off
    the password complexity again. And of course change that password everywhere
    else it is used. Phew.

    Please let me know if you know where else to look because at the moment I am
    out of ideas.

    Thanks!
    -Bob

    What make you sure the process using the account is actually on the DC.
    What make you sure the process using the account is actually on the DC. It
    could be a scheduled event running elsewhere but authenticating to this
    controller. Check other machines in the same AD site.

    --
    Hope it helps!

    dw

    ----------------------------------------------
    Don Wilwol
    www.atthedatacenter.com




    Is that not what the event message below tells me?
    Is that not what the event message below tells me?

    Security: NT AUTHORITY\SYSTEM:
    User Account Locked Out:
    Target Account Name: MYDOMADM Target Account ID:
    %{S-1-5-21-67914641-466965320-XXXXXXXX-XXXX}
    Caller Machine Name: REMOTE1 Caller User Name: REMOTE1$ Caller Domain:
    MYDOMAIN Caller Logon ID: (0x0,0x3E7)

    In the example above the account getting locked is called "MYDOMADM". The
    "Caller Machine Name" is REMOTE1, the DC getting the event message..
    Normally when an account gets locked by a user trying a bad password too
    many times I get this exact same message and the Target Account Name is the
    user and the "Caller Machine Nname" is the machine they tried to login to.
    Simarly, if they try to access a network resource on a server with a bad
    password too many times and lock the account, this event mesage will still
    show the users machine name, and not the machine they were trying to connect
    to, IIRC.

    I hope that makes sense but I wonder if I missed the point of your post.

    Thanks,
    -Bob


    Re: Hourly event locking account?
    see if this helps
    http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


    --
    Hope it helps!

    dw

    ----------------------------------------------
    Don Wilwol
    www.atthedatacenter.com




    For whatever reason that adlockout.
    For whatever reason that adlockout.dll tool made my Ops Master go crazy with
    services crashing. I had to remove it from the registry and reboot and now
    everything is fine. I did however install it on the remote DC and waited for
    the lockout to occur, which it did, however there was no reference to the
    account in the lockout debug file. I'm lost! But tomorrow I will try to read
    some more about the tools available.

    -Bob



    Submitted via EggHeadCafe - Software Developer Portal of Choice
    Developing Applications With Visual Studio.NET
    http://www.eggheadcafe.com/tutorial...d-cd5e366a4ce3/developing-applications-w.aspx
     
    Joe Glim, Jan 6, 2010
    #1
    1. Advertisements

  2. Hello Joe,

    You are replying to a more then 1 year old posting, so better create your
    own new one use the microsoft newsgroups directly with a newsreader instead.

    Even if your problem sounds the same a more detailed description about your
    environment is helpful, how many DCs are in use, OS version and SP/patch
    level etc.

    Do you check your network with this article about conficker:
    http://support.microsoft.com/kb/962007

    Best regards

    Meinolf Weber
     
    Meinolf Weber [MVP-DS], Jan 6, 2010
    #2
    1. Advertisements

  3. I agree with Meinolf, that you should start a new thread, but below are some
    troubleshooting tips:

    Is the account logged into more than one machine or is it running a service
    on the same machine? A user could have mapped drives to a resource from one
    machine, on a different machine he changes his password and then the first
    machine attempts to stay mapped to a drive and the password is no longer
    correct and eventually locks the user out. Or after a password is changed a
    service is running that attempts to authenticate with an old password.

    To help try and track down where the account is getting locked out use
    eventcombMT.exe from the Account Lockout tools found out Microsoft's
    website. Use the built in search AccountLockouts and search in the created
    text files for the user in question.

    http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en


    You can also set the debug flag on NetLogon to track authentication. "This
    creates a text file on the PDC that can be examined to determine which
    clients are generating the bad password attempts."
    http://support.microsoft.com/kb/189541
    http://support.microsoft.com/kb/109626


    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 6, 2010
    #3
  4. Joe Glim

    Joe Glim Guest

    OK, this was a tough one, but Netlogon debugging assisted in tracking it down. For some reason, in DHCP Administrator, under properties, where the Update DNS dynamically is confgiured, there is a credentials button. I don't remember doing it, but my domain user id was listed as the credential to use. As soon as I typed over the password with what I had changed it to in AD, the lockout problem vanished.

    First time I've ever seen this one.

    Glad it's over.

    Thanks for the suggestions and brain powered expended.

    Have a good evening.

    Joe



    Paul Bergson [MVP-DS] wrote:

    I agree with Meinolf, that you should start a new thread, but below are
    06-Jan-10

    I agree with Meinolf, that you should start a new thread, but below are som
    troubleshooting tips

    Is the account logged into more than one machine or is it running a servic
    on the same machine? A user could have mapped drives to a resource from on
    machine, on a different machine he changes his password and then the firs
    machine attempts to stay mapped to a drive and the password is no longe
    correct and eventually locks the user out. Or after a password is changed
    service is running that attempts to authenticate with an old password

    To help try and track down where the account is getting locked out us
    eventcombMT.exe from the Account Lockout tools found out Microsoft'
    website. Use the built in search AccountLockouts and search in the create
    text files for the user in question

    http://www.microsoft.com/downloads/...69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=e

    You can also set the debug flag on NetLogon to track authentication. "Thi
    creates a text file on the PDC that can be examined to determine whic
    clients are generating the bad password attempts.
    http://support.microsoft.com/kb/18954
    http://support.microsoft.com/kb/10962

    -
    Paul Bergso
    MVP - Directory Service
    MCTS, MCT, MCSE, MCSA, Security+, BS CSc
    2008, 2003, 2000 (Early Achiever), NT
    Microsoft's Thrive IT Pro of the Month - June 200

    http://www.pbbergs.co

    Please no e-mails, any questions should be posted in the NewsGroup Thi
    posting is provided "AS IS" with no warranties, and confers no rights.

    Previous Posts In This Thread:


    Submitted via EggHeadCafe - Software Developer Portal of Choice
    ASP/VBScript Timer Class
    http://www.eggheadcafe.com/tutorial...7e2-ad365eda71c7/aspvbscript-timer-class.aspx
     
    Joe Glim, Jan 7, 2010
    #4
  5. For DHCP credentials, it is advised to use a separate non-domain admin
    account, with a strong password. I would suggest to name it with something
    more appropriate, such as DhcpCredentials, this way you know what the
    account is for. There is no reason to use your account, and I assume that
    your account is a domain admin account, which is not necessary, and can be a
    security risk with an additional admin account floating around.

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and
    confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among
    responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE &
    MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please
    contact Microsoft PSS directly. Please check http://support.microsoft.com
    for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Jan 7, 2010
    #5
  6. Agree

    --
    Paul Bergson
    MVP - Directory Services
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, 2003, 2000 (Early Achiever), NT4
    Microsoft's Thrive IT Pro of the Month - June 2009

    http://www.pbbergs.com

    Please no e-mails, any questions should be posted in the NewsGroup This
    posting is provided "AS IS" with no warranties, and confers no rights.
     
    Paul Bergson [MVP-DS], Jan 7, 2010
    #6
  7. Joe Glim

    Jorge Silva Guest

    Hi
    You should use a regular service account for that purpose, generally is
    created an account with non-expiring password for that.

    --

    I hope that the information above helps you.
    Have a Nice day.

    Jorge Silva
    MVP Directory Services

    Please no e-mails, any questions should be posted in the NewsGroup
    This posting is provided "AS IS" with no warranties, and confers no rights.




     
    Jorge Silva, Jan 11, 2010
    #7
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.