User account being locked out

Discussion in 'Active Directory' started by Dale Crowder, Sep 17, 2008.

  1. Dale Crowder

    Dale Crowder Guest

    Is there a tool that will tell me what is using my username on a server and
    causing me to be locked out. I'm getting the event id 675 on my domain
    controller that is telling me to look at a specific ip address that is
    sending the request.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Account Logon
    Event ID: 675
    Date: 9/17/2008
    Time: 5:56:15 PM
    Computer: KNB4
    Pre-authentication failed:
    User Name: User
    User ID: Domain\User
    Service Name: krbtgt/Domain
    Pre-Authentication Type: 0x2
    Failure Code: 0x12
    Client Address: 10.1.x.x

    On that server I'm getting an event id 539 account locked out.

    Event Type: Failure Audit
    Event Source: Security
    Event Category: Logon/Logoff
    Event ID: 539
    Date: 9/17/2008
    Time: 5:34:15 PM
    Computer: VSERVER
    Logon Failure:
    Reason: Account locked out
    User Name: UserName
    Domain: DomainName
    Logon Type: 2
    Logon Process: Advapi
    Authentication Package: Negotiate
    Workstation Name: ServerName
    Caller User Name: ServerName$
    Caller Domain: Domain
    Caller Logon ID: (0x0,0x3E7)
    Caller Process ID: 3556
    Transited Services: -
    Source Network Address: -
    Source Port: -

    I can't find a think on this server that is using my login information.
    I've searched the registery for Process ID: 3556 to no avail, searched for my
    username to no avail.

    Of course I've checked services and scheduled tasks. Any help would be great.

    If there's not a tool out there to monitor what on a server is making AD
    requests that would be a good one for someone to create and sell.
    Dale Crowder, Sep 17, 2008
    1. Advertisements

  2. Meinolf Weber, Sep 18, 2008
    1. Advertisements

  3. Dale Crowder

    Nick Guest


    Please run Lockoutstatus.exe from Lockout tools mentioned below. This will
    tell you which account is getting locked & request is received by which DC.
    Event ID 675 shows "KNB4" as client name. Do you identify this machine name?
    When was the last time you reset your account password?
    Are you using any of the locked accounts to run Service ? check those &

    cheers !!
    Nick, Sep 18, 2008
  4. Paul Bergson [MVP-DS], Sep 19, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.