Re: Account lockout

From: Steven L Umbach (sumbach_at_N0spam.ameritech.net)
Date: 04/22/04 

Date: Thu, 22 Apr 2004 10:02:54 -0500

You would also want to enable auditing of logon events on his workstation
and any other computers/servers that the user may usually use looking for
failed logon attempts with that account name on those computers. It could
possibly be that the user is still logged onto another computer [Terminal
Services or such] with an old password, that a mapped share with persistent
credentials is used with old/bad password, or a Scheduled Task is using the
users wrong password. Hopefully it is not a jokester on the network because
the lockout could be ocurring on any computer that has file and print
sharing enabled and that would not show up in the domain controller logs
like a bad attempt to logon the the domain interactivley would. The link
below is excellent at tips on how to track such issues down about two thirds
the way down under heading of "Troubleshooting Account Lockout. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

"Sloup Michal" <michal.sloup@cz.glaverbel.com> wrote in message
news:2bc201c42864$de93df10$a301280a@phx.gbl...
> We are runnig W2K Domain. One of our users suddenly gets
> locked out (regularly). I used EventComb to search all our
> DC (we have almost 60) for some events.
>
> I'm able to find events 642 and 644. Also I can see events
> 675 (failure code 18) and 681 (error code 3221226036).
>
> It means that I can find the moment when the account is
> locked, but I need also to know why! So I need to find
> some events 675 or 681 with code 24 or 3221225578.
>
> Can anyone advice where to look or what to switch on,
> etc...
>
> Any hint is appreciated.
>
> Michal

Relevant Pages

  • [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l
    ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ...
    (Bugtraq)
  • Re: ATTN : Microsoft - Security Event 529....Second Request for help....
    ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ...
    (microsoft.public.windows.server.sbs)
  • Re: Is it really true that NTFS is secure?
    ... > and failure auditing starting with "Audit Account Management," and also try ... > The account Group got put back in the Administrator group again. ... > The logon to account: ...
    (microsoft.public.security)
  • Re: Logon Server Unavailable
    ... >> More Connections Can Be Made At This Time ... >> The network folder specified is currently mapped using a different user ... >> account in its primary domain is missing or the password on that account ... >> There are currently no logon servers available to service the logon ...
    (microsoft.public.windows.server.general)
  • Re: Logon Server Unavailable
    ... >> More Connections Can Be Made At This Time ... >> The network folder specified is currently mapped using a different user ... >> account in its primary domain is missing or the password on that account ... >> There are currently no logon servers available to service the logon ...
    (microsoft.public.windows.server.dns)