|
Question : Win Account Locked-Out Several Times a Day
|
|
In our LAN we have a Win Srvr2003 as a DC and all client machines are WInXP. One particular account keeps getting locked out several times a day. Our network policy specifies 10 failed logon attempts as the lock-out criteria. Many times, this happens on the first attempt of the day. I have even logged on to the server and manually unlocked this account and rebooted the client, only to have the account locked-out again on the very next attempt. I have disconnected all the user's mapped drives. I have checked the security event logs and do not see 10 failed attempts for this account. Each time a logon failed, there were series of FailureAudits in the event log. Here are are a few entries from the security log, which appeared just after a single logon failure:
--- 1st Entry ---
Source: Security Category: Account Logon Type: Failure Aud Event ID: 675 User: NT AUTHORITY\SYSTEM Computer: [servername]
Pre-authentication failed:
User Name: [ username ] User ID: [ domain\username ] Service Name: krbtgt/[ domain ] Pre-Authentication Type: 0x2 Failure Code: 0x25 Client Address: [ CLIENT IP ADDRESS ]
--- 2nd Entry ---
Source: Security Category: Account Logon Type: Failure Aud Event ID: 673 User: NT AUTHORITY\SYSTEM Computer: [servername]
Service Ticket Request:
User Name: User Domain: Service Name: Service ID: - Ticket Options: 0x40800000 Ticket Encryption Type: - Client Address: [ CLIENT IP ADDRESS ] Failure Code: 0x25 Logon GUID: - Transited Services: -
--- 3rd Entry ---
Source: Security Category: Logon/Logoff Type: Failure Aud Event ID: 537 User: NT AUTHORITY\SYSTEM Computer: [servername]
Logon Failure: Reason: An error occurred during logon User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Status code: 0xC000006D Substatus code: 0xC0000133 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: [ CLIENT IP ADDRESS ] Source Port: 1062
--- 4th Entry ---
Source: Security Category: Logon/Logoff Type: Failure Aud Event ID: 537 User: NT AUTHORITY\SYSTEM Computer: [servername]
Logon Failure: Reason: An error occurred during logon User Name: Domain: Logon Type: 3 Logon Process: Kerberos Authentication Package: Kerberos Workstation Name: - Status code: 0xC000006D Substatus code: 0xC0000133 Caller User Name: - Caller Domain: - Caller Logon ID: - Caller Process ID: - Transited Services: - Source Network Address: [ CLIENT IP ADDRESS ] Source Port: 1065
--------------
Any thoughts as to why this account keeps getting locked-out?
|
Answer : Win Account Locked-Out Several Times a Day
|
|
We have the same problem before, and try to figure it out why it happens like that, it took us a few days to work it out why.
That account, the one keep lock out, is currently on 1 of the machine. Then the user leave it there (compA for example), get into another machine (compB) and try to change the password. The compA still on with that username and it keep checking for the password every now and then. And you have to reallise that the password on compA and the one on the server is different that's why it lock that account up.
Now you only need to search for that machine and log that account off. Then reset the password again, should be fine.
|
|
|
|