|
Question : Win Account Locked-Out Several Times a Day
|
|
In our LAN we have a Win Srvr2003 as a DC and all client machines are WInXP. One particular account keeps getting locked out several times a day. Our network policy specifies 10 failed logon attempts as the lock-out criteria. Many times, this happens on the first attempt of the day. I have even logged on to the server and manually unlocked this account and rebooted the client, only to have the account locked-out again on the very next attempt. I have disconnected all the user's mapped drives. I have checked the security event logs and do not see 10 failed attempts for this account. Each time a logon failed, there were series of FailureAudits in the event log. Here are are a few entries from the security log, which appeared just after a single logon failure:
--- 1st Entry ---
Source: Security
Category: Account Logon
Type: Failure Aud
Event ID: 675
User: NT AUTHORITY\SYSTEM
Computer: [servername]
Pre-authentication failed:
User Name: [ username ]
User ID: [ domain\username ]
Service Name: krbtgt/[ domain ]
Pre-Authentication Type: 0x2
Failure Code: 0x25
Client Address: [ CLIENT IP ADDRESS ]
--- 2nd Entry ---
Source: Security
Category: Account Logon
Type: Failure Aud
Event ID: 673
User: NT AUTHORITY\SYSTEM
Computer: [servername]
Service Ticket Request:
User Name:
User Domain:
Service Name:
Service ID: -
Ticket Options: 0x40800000
Ticket Encryption Type: -
Client Address: [ CLIENT IP ADDRESS ]
Failure Code: 0x25
Logon GUID: -
Transited Services: -
--- 3rd Entry ---
Source: Security
Category: Logon/Logoff
Type: Failure Aud
Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: [servername]
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: [ CLIENT IP ADDRESS ]
Source Port: 1062
--- 4th Entry ---
Source: Security
Category: Logon/Logoff
Type: Failure Aud
Event ID: 537
User: NT AUTHORITY\SYSTEM
Computer: [servername]
Logon Failure:
Reason: An error occurred during logon
User Name:
Domain:
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name: -
Status code: 0xC000006D
Substatus code: 0xC0000133
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: [ CLIENT IP ADDRESS ]
Source Port: 1065
--------------
Any thoughts as to why this account keeps getting locked-out?
|
Answer : Win Account Locked-Out Several Times a Day
|
|
We have the same problem before, and try to figure it out why it happens like that, it took us a few days to work it out why.
That account, the one keep lock out, is currently on 1 of the machine. Then the user leave it there (compA for example), get into another machine (compB) and try to change the password. The compA still on with that username and it keep checking for the password every now and then. And you have to reallise that the password on compA and the one on the server is different that's why it lock that account up.
Now you only need to search for that machine and log that account off. Then reset the password again, should be fine.
|
|
|
|
|
