Re: Account lockouts help

From: Jon LaBarge (jonlabarge_at_comcast.net)
Date: 09/14/05


Date: Tue, 13 Sep 2005 16:06:12 -0700

Ok, this is what comes up in the Event Viewer. We seem to think that it has
something to do with a new DC that we implemented.

The Security System detected an authentication error for the server
cifs/%FQDN%. The failure code from authentication protocol Kerberos was "The
attempted logon is invalid. This is either due to a bad username or
authentication information. (0xc000006d)."

%FQDN% = our fully qualified domain name for the server in question.

This event ID is 40960.
Source LSASRV
Catagory: SPNEGO (Negotiator)

We also get Event ID 40961 for the same server.

The Security System could not establish a secured connection with the server
cifs/%FQDN%. No authentication protocol was available.

I ran the ALTools and the log does not seem suspicious other than it appears
as though the logon script is dumping a NULL in the password. See text
below:

Tue Sep 13 15:04:13 2005, PID: 228, Thread: 224, Image
C:\WINNT\system32\lsass.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:15 2005, PID: 408, Thread: 396, Image
C:\WINNT\system32\svchost,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:15 2005, PID: 436, Thread: 440, Image
C:\WINNT\system32\spoolsv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:23 2005, PID: 504, Thread: 500, Image C:\Program
Files\CA\SharedComponents\Alert\ALERT.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:24 2005, PID: 560, Thread: 564, Image C:\Program
Files\CA\SharedComponents\CA_LIC\lic98rmt.exe,ALOCKOUT.DLL -
DLL_PROCESS_ATTACH
Tue Sep 13 15:04:24 2005, PID: 608, Thread: 604, Image
C:\WINNT\system32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:25 2005, PID: 624, Thread: 620, Image
C:\WINNT\system32\hidserv.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:26 2005, PID: 688, Thread: 684, Image C:\Program
Files\CA\eTrust Antivirus\InoTask.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:32 2005, PID: 972, Thread: 968, Image
userinit.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:32 2005, PID: 992, Thread: 984, Image
C:\WINNT\system32\MSTask.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:33 2005, PID: 1072, Thread: 1068, Image
C:\WINNT\system32\svchost.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:34 2005, PID: 1116, Thread: 1112, Image
\\marty\netlogon\kix32,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:34 2005, PID: 1116, Thread: 1112, Image
\\marty\netlogon\kix32,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:34 2005, PID: 972, Thread: 968, Image
userinit.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:37 2005, PID: 228, Thread: 900, Image
C:\WINNT\system32\lsass.exe,***StartServiceW Failed!*** (0), Service: Failed
to get Service name, RC was: Incorrect function. (1), GLE was: Overlapped
I/O operation is in progress. (997)
Tue Sep 13 15:04:37 2005, PID: 228, Thread: 352, Image
C:\WINNT\system32\lsass.exe, ***StartServiceW Failed!*** (0), Service:
Failed to get Service name, RC was: Incorrect function. (1), GLE was:
Overlapped I/O operation is in progress. (997)
Tue Sep 13 15:04:37 2005, PID: 228, Thread: 264, Image
C:\WINNT\system32\lsass.exe,***StartServiceW Failed!*** (0), Service: Failed
to get Service name, RC was: The operation completed successfully. (0),
GLE was: An instance of the service is already running. (1056)
Tue Sep 13 15:04:42 2005, PID: 1188, Thread: 1184, Image
userinit.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:43 2005, PID: 1188, Thread: 1184, Image
userinit.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:43 2005, PID: 1216, Thread: 1244, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:43 2005, PID: 1216, Thread: 1244, Image
net,***WNetUseConnectionW Failed!*** (1), Local: j:, Remote: \\marty\cwic,
Password: Password was NULL, Window Title: , RC was: The local device name
is already in use. (85), GLE was: The local device name is already in use.
(85)
Tue Sep 13 15:04:43 2005, PID: 1216, Thread: 1244, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:43 2005, PID: 1244, Thread: 1216, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:43 2005, PID: 1244, Thread: 1216, Image
net,***WNetUseConnectionW Failed!*** (1), Local: k:, Remote:
\\wally\applied, Password: Password was NULL, Window Title: , RC was: The
local device name is already in use. (85), GLE was: The local device name
is already in use. (85)
Tue Sep 13 15:04:43 2005, PID: 1244, Thread: 1216, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:44 2005, PID: 1216, Thread: 1244, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:44 2005, PID: 1216, Thread: 1244, Image
net,***WNetUseConnectionW Failed!*** (1), Local: u:, Remote:
\\wally\dncotton$, Password: Password was NULL, Window Title: , RC was: The
local device name is already in use. (85), GLE was: The local device name
is already in use. (85)
Tue Sep 13 15:04:44 2005, PID: 1216, Thread: 1244, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:44 2005, PID: 300, Thread: 1216, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:44 2005, PID: 300, Thread: 1216, Image
net,***WNetUseConnectionW Failed!*** (1), Local: i:, Remote: \\marty\claims,
Password: Password was NULL, Window Title: , RC was: The local device name
is already in use. (85), GLE was: The local device name is already in use.
(85)
Tue Sep 13 15:04:44 2005, PID: 300, Thread: 1216, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:46 2005, PID: 408, Thread: 416, Image
C:\WINNT\system32\svchost,***StartServiceW Failed!*** (0), Service: Service:
Network Connections (C:\WINNT\System32\svchost.exe -k netsvcs), RC was:
Incorrect function. (1), GLE was: Overlapped I/O operation is in progress.
(997)
Tue Sep 13 15:04:47 2005, PID: 1324, Thread: 1320, Image C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:47 2005, PID: 1324, Thread: 1320, Image C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:04:48 2005, PID: 1268, Thread: 1272, Image C:\Program
Files\Microsoft Office\Office\OSA9.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:04:49 2005, PID: 1268, Thread: 1272, Image C:\Program
Files\Microsoft Office\Office\OSA9.EXE,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:05:22 2005, PID: 408, Thread: 1316, Image
C:\WINNT\system32\svchost,***StartServiceW Failed!*** (0), Service: Service:
Windows Management Instrumentation (C:\WINNT\System32\WBEM\WinMgmt.exe), RC
was: Incorrect function. (1), GLE was: Overlapped I/O operation is in
progress. (997)
Tue Sep 13 15:05:36 2005, PID: 1576, Thread: 1572, Image
C:\WINNT\system32\wuauclt.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:26:33 2005, PID: 1576, Thread: 1572, Image
C:\WINNT\system32\wuauclt.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:27:16 2005, PID: 1372, Thread: 1292, Image
userinit.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:27:16 2005, PID: 1372, Thread: 1292, Image
userinit.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:27:16 2005, PID: 1208, Thread: 1348, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:27:16 2005, PID: 1208, Thread: 1348, Image
net,***WNetUseConnectionW Failed!*** (1), Local: j:, Remote: \\marty\cwic,
Password: Password was NULL, Window Title: , RC was: The local device name
is already in use. (85), GLE was: The local device name is already in use.
(85)
Tue Sep 13 15:27:16 2005, PID: 1208, Thread: 1348, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:27:16 2005, PID: 1348, Thread: 1208, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:27:16 2005, PID: 1348, Thread: 1208, Image
net,***WNetUseConnectionW Failed!*** (1), Local: k:, Remote:
\\wally\applied, Password: Password was NULL, Window Title: , RC was: The
local device name is already in use. (85), GLE was: The local device name
is already in use. (85)
Tue Sep 13 15:27:16 2005, PID: 1348, Thread: 1208, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:27:17 2005, PID: 1208, Thread: 1348, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:27:17 2005, PID: 1208, Thread: 1348, Image
net,***WNetUseConnectionW Failed!*** (1), Local: u:, Remote:
\\wally\dncotton$, Password: Password was NULL, Window Title: , RC was: The
local device name is already in use. (85), GLE was: The local device name
is already in use. (85)
Tue Sep 13 15:27:17 2005, PID: 1208, Thread: 1348, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:27:17 2005, PID: 1348, Thread: 1208, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:27:17 2005, PID: 1348, Thread: 1208, Image
net,***WNetUseConnectionW Failed!*** (1), Local: i:, Remote: \\marty\claims,
Password: Password was NULL, Window Title: , RC was: The local device name
is already in use. (85), GLE was: The local device name is already in use.
(85)
Tue Sep 13 15:27:17 2005, PID: 1348, Thread: 1208, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:27:17 2005, PID: 448, Thread: 1412, Image C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:27:18 2005, PID: 1340, Thread: 932, Image C:\Program
Files\Microsoft Office\Office\OSA9.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:27:18 2005, PID: 448, Thread: 1412, Image C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:27:18 2005, PID: 1340, Thread: 932, Image C:\Program
Files\Microsoft Office\Office\OSA9.EXE,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:29:55 2005, PID: 1172, Thread: 1352, Image
userinit.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:29:55 2005, PID: 1172, Thread: 1352, Image
userinit.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:29:55 2005, PID: 1208, Thread: 1392, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:29:55 2005, PID: 1208, Thread: 1392, Image
net,***WNetUseConnectionW Failed!*** (1), Local: j:, Remote: \\marty\cwic,
Password: Password was NULL, Window Title: , RC was: The local device name
is already in use. (85), GLE was: The local device name is already in use.
(85)
Tue Sep 13 15:29:55 2005, PID: 1208, Thread: 1392, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:29:55 2005, PID: 1392, Thread: 1208, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:29:55 2005, PID: 1392, Thread: 1208, Image
net,***WNetUseConnectionW Failed!*** (1), Local: k:, Remote:
\\wally\applied, Password: Password was NULL, Window Title: , RC was: The
local device name is already in use. (85), GLE was: The local device name
is already in use. (85)
Tue Sep 13 15:29:55 2005, PID: 1392, Thread: 1208, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:29:56 2005, PID: 1208, Thread: 1392, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:29:56 2005, PID: 1208, Thread: 1392, Image
net,***WNetUseConnectionW Failed!*** (1), Local: u:, Remote:
\\wally\dncotton$, Password: Password was NULL, Window Title: , RC was: The
local device name is already in use. (85), GLE was: The local device name
is already in use. (85)
Tue Sep 13 15:29:56 2005, PID: 1208, Thread: 1392, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:29:56 2005, PID: 1392, Thread: 1208, Image
net,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:29:56 2005, PID: 1392, Thread: 1208, Image
net,***WNetUseConnectionW Failed!*** (1), Local: i:, Remote: \\marty\claims,
Password: Password was NULL, Window Title: , RC was: The local device name
is already in use. (85), GLE was: The local device name is already in use.
(85)
Tue Sep 13 15:29:56 2005, PID: 1392, Thread: 1208, Image
net,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:29:56 2005, PID: 1168, Thread: 1596, Image C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:29:57 2005, PID: 1368, Thread: 924, Image C:\Program
Files\Microsoft Office\Office\OSA9.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:29:57 2005, PID: 1168, Thread: 1596, Image C:\Program
Files\Java\jre1.5.0_01\bin\jusched.exe,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:29:57 2005, PID: 1368, Thread: 924, Image C:\Program
Files\Microsoft Office\Office\OSA9.EXE,ALOCKOUT.DLL - dll_process_detatch
Tue Sep 13 15:31:39 2005, PID: 712, Thread: 1444, Image C:\Program
Files\Microsoft Office\Office\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:32:05 2005, PID: 1256, Thread: 120, Image
C:\WINNT\msagent\AgentSvr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
Tue Sep 13 15:39:30 2005, PID: 408, Thread: 416, Image
C:\WINNT\system32\svchost,***StartServiceW Failed!*** (0), Service: Service:
Windows Management Instrumentation (C:\WINNT\System32\WBEM\WinMgmt.exe), RC
was: Incorrect function. (1), GLE was: Overlapped I/O operation is in
progress. (997)

Based on this, any other ideas????

Jon

"Miha Pihler [MVP]" <mihap-news@atlantis.si> wrote in message
news:eAU6isKuFHA.2560@TK2MSFTNGP10.phx.gbl...
> Hi,
>
> These tools should help you out determining what is causing the lockout
>
> Account Lockout and Management Tools
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
>
> --
> Mike
> Microsoft MVP - Windows Security
>
>
> "Jon LaBarge" <jonlabarge@comcast.net> wrote in message
> news:%23wLQ%23iKuFHA.600@TK2MSFTNGP10.phx.gbl...
>> We have a few users in our org that continually get locked out. Every 5
>> minutes, their accounts go into the lockout state. They are locked down
>> by a GPO but only for folder redirection. Any ideas???
>>
>> Thx.
>>
>> Jon
>>
>
>