Re: Account Being Locked Somewhere

From: "Andrew Hayes" <AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 22 Aug 2006 10:38:11 +0900

Hmm. Set "Audit Account Logon Events" and "Audit Logon Events" to
Success/Failure in the audit policy for both the Domain Security Policy and
Domain Controller Security Policy and I still can't see the event where the
account is getting locked.

We changed his password back to the old one but the account still gets
locked out. "Manage Passwords" is empty.

Has anyone ever seen the event message in the security log when an account
gets locked out? If so, what were your audit policy settings?

"Brian Delaney [MSFT]" <briandel@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:DAjSh%23twGHA.3200@xxxxxxxxxxxxxxxxxxxxxxxx

Hi Andrew,

Make sure that on the DCs you have auditing turned on for logon events so
that you can see which machine is sending the bad passwords.

Once you have determined the machine there are a number of places on a
machine that store users passwords that could cause the password to
lockout
automatically. Some are:

Services
Mapped Network Drives
Scheduled Tasks
Credential Manager (Start -> Run -> control keymgr.dll)
3rd Party applications
DHCP Server
Malware
etc.

Since he just changed his password this morning I would suspect that it is
somewhere he has saved it and just needs to update the password.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no
rights.
--------------------

From: "Andrew Hayes" <AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx>
References: <uKxrKRrwGHA.3392@xxxxxxxxxxxxxxxxxxxx>
Subject: Re: Account Being Locked Somewhere
Date: Fri, 18 Aug 2006 19:53:54 +0900

Looked at his Services list. None of them are set to use his account.

"Andrew Hayes" <AndrewHayes@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uKxrKRrwGHA.3392@xxxxxxxxxxxxxxxxxxxxxxx

One of my users, a developer, keeps getting his account locked out, but

I

don't see anything in the domain controller security event log that

helps

me figure out why it's being locked.

He changed his password this morning, so maybe he has a service that

uses

his account.

Is there any way to track down where (machine or otherwise) his account

is

being locked from?

Follow-Ups:
- Re: Account Being Locked Somewhere
  - From: Andrew Hayes

References:
- Account Being Locked Somewhere
  - From: Andrew Hayes
- Re: Account Being Locked Somewhere
  - From: Andrew Hayes
- Re: Account Being Locked Somewhere
  - From: Brian Delaney [MSFT]

Prev by Date: Re: Explanation of Anonymous Named Pipes Security Policy
Next by Date: Re: Account Being Locked Somewhere
Previous by thread: Re: Account Being Locked Somewhere
Next by thread: Re: Account Being Locked Somewhere
Index(es):
- Date
- Thread

Relevant Pages

Re: Local Security rights Windows Server 2003
... I suppose SP1 ... Please post whether you are using a custom account and what settings you ... specified to allow access to change the Audit policy before applying SP1. ...
(microsoft.public.security)
Auditing
... It seems I'm having a problem setting up auditing. ... Policy and expanded "Local Policies" and expanded "Audit Policy" and then I ... set Audit account logon events to Success, ...
(microsoft.public.win2000.security)
Re: Logging Password Changes
... Go into the Domain Controllers Security Policy. ... Management" to audit success and failure. ... Event Category: Account Management ...
(microsoft.public.backoffice.smallbiz2000)
Re: Firewall and Security
... the Domain Controller Security Policy (on the server under Administrative ... >>and regular logon failure, account management success ...
(microsoft.public.windows.server.sbs)
Re: Firewall and Security
... the Domain Controller Security Policy (on the server under Administrative ... >>and regular logon failure, account management success ...
(microsoft.public.windows.server.sbs)