unexplained lockouts

[BH]

My Active Directory account keeps getting locked out.
Since I'm the main domain admin, I can get in and clear
the lockout for my personal account, but it's kind of an
annoyance. I'll be logged in normally, I'll log out when
I leave my desk, and when I try to log back in 10 minutes
later, I'm locked out.

DC event log shows:
Auththentication Ticket Request Failed:
Username: (mine)
Supplied Realm Name: (our domain)
Service Name: krbtgt/(our domain)
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: (ip address of another domain controller-
always the same one)

So, something it going on at that other DC, but what? No
services are running under my account; what else should I
check there?

BH

 

[Joe Richards [MVP]]

You should check the event log of the other DC as well, this could be a
forwarded request and the other DC isn't the source.

 

[BH]

The other DC doesn't show any logon failure since 5/9/04,
and this happened to me just this afternoon.

The main DC also shows a lot of pre-authentication
failures of the administrator account coming from the
same "client" - the other DC. Suspicious, but I don't
really know what to check next.

 

[Steven L Umbach]

You might try auditing failures for logon events also at least until problem is found
which may give more helpful info. Have you changed you password recently? If so was
it used in any persistent mapped drives, Scheduled Tasks, etc. I would also run
netdiag first and then dcdiag second on your domain controllers looking for any
problems that would show as failed tests, errors, warnings that may indicate a
replication, dns, or secure channel problem. The links below iare very good at how to
resolve such problems. --- Steve

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx
http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

 

[Anders]

My Active Directory account keeps getting locked out.
Since I'm the main domain admin, I can get in and clear
the lockout for my personal account, but it's kind of an
annoyance. I'll be logged in normally, I'll log out when
I leave my desk, and when I try to log back in 10 minutes
later, I'm locked out.

We got the same problem after upgrading from NT4 to W2K.
We have found nothing wrong anywhere, even after logging and auditing
just about everything we could. Several users get locked out, more and more
often.

We are now hoping that this will go away as we change from a mixed-mode
domain
to a native w2k one.
Someone on NTBugTraq gave me a tip that this could be caused by problems
with the PDC emulator.
Also, we have other AD-problems that are mixed-mode domain related, so we
want to get rid of all
that first before trying to battle this one again.

Cheers,
Anders

 

[Greg Brown]

The only way I have found to solve this is to turn on debug logging for the
netlogon service. Go to each of your domain controllers and change the
value of this registry key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon
\Parameters\DBFlag

to 0x2080ffff

Next, stop and start the netlogon service on the domain controllers.

You should now see a file called netlogon.log located in C:\WINNT\Debug\

Wait until the next time you get an account lockout then go look at this
file on all of your domain controllers and search for the user account that
is locked and you should be able to find the name of the computer that the
lockout came from.

This happens a lot after someone's password changes and they forgot that
they were logged on to another computer, possible in a Terminal Services
session.


Regards,
Greg