Re: account lockout fails
From: chris (csheehan_at_seaviewseward.org)
Date: 05/28/03
- Next message: sunil gottumukkala [MSFT]: "Re: Administrator vs Administrators Group"
- Previous message: Cranky: "Re: Install certificate in personnal store"
- In reply to: chris: "account lockout fails"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 28 May 2003 10:17:03 -0800
I've been asked to re-state this so it makes more sense - I'll give it a
try:
In my domain controller security log I received the following events
periodically (1 -2 hours apart) over a 22 hour period on a weekend:
Type: Failure
Event ID: 676
User: NT Authority\System
Computer: Primary Domain controller name
Authentication Ticket Request Failed
User Name: username (this was a valid username for the machine)
Supplied Realm Name: domainname
Service Name: krbtgt/domainname
Ticket Options: 0x40310010
Failure Code: 0x17
Client Address: secondary domain controller IP
This event is followed by another that is identical except that the Client
Address is the workstation IP address. These two events alternated with
each other in the security log until there were a total of 24 (12 each).
This was the same on each occurence.
These are listed as failed logon attempts in the security log, but the
domain lockout policy did not take effect and lock the account.
I believe the workstation had been left sitting idle and logged off at the
time of these events.
I tested the lockout policy on the workstation by typing in the username and
password until the account locked after the specified attempts (as well as
checking effective settings on the workstation). It works fine under those
conditions.
I've been trying to find some info as to how these events may have been
generated and/or some info on the failure code that may give me a clue. I
had one IT friend say they have experienced logs filling up with failed
logon attempts when a workstation was left idle at the logon screen, but I
have been unable to replicate this.
Any clues?
Thanks!
"chris" <csheehan@seaviewseward.org> wrote in message
news:uscptPIJDHA.1360@TK2MSFTNGP10.phx.gbl...
> Has anyone seen strings of logon attempts from a workstation in a domain
> where the lockout policy does not take effect?
>
> I have strings of Event 676, always in sets of 24 (12 reference the
> workstation IP and 12 reference the DC IP) that occur when the workstation
> is sitting idle and no one has physical access.
>
> If I sit at the workstation and type in the wrong password, the policy
does
> take effect.
> I haven't found any documentation specific to Win2K for something like
this.
> Thanks!
>
>
- Next message: sunil gottumukkala [MSFT]: "Re: Administrator vs Administrators Group"
- Previous message: Cranky: "Re: Install certificate in personnal store"
- In reply to: chris: "account lockout fails"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
