one PC locking out user on another PC

[Bawhead]

One user on my network is being continually locked out of her account.
After some investigation we have tracked it down to a specific PC
(D7C63D) that whenever it is switched on it tries to connect to the
network using the users username and a password. The following error
messages were logged in the main server event logs:

The logon to account: user02
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: D7C63D
failed. The error code was: 3221225578

Logon Failure:
Reason: Unknown user name or bad password
User Name: user02
Domain: D7C63D51
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: D7C63D

The problem is I can't find where on the system the users logon
details are being kept as they only used once, some time ago - I've
checked the profiles, all registry, searched files based on name and
content. I also can't figure out which process is involved in trying
logon. This one is driving me mad, any ideas will be gratefully
received.

 

[Pegasus \(MVP\)]

One user on my network is being continually locked out of her account.
After some investigation we have tracked it down to a specific PC
(D7C63D) that whenever it is switched on it tries to connect to the
network using the users username and a password. The following error
messages were logged in the main server event logs:

The logon to account: user02
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: D7C63D
failed. The error code was: 3221225578

Logon Failure:
Reason: Unknown user name or bad password
User Name: user02
Domain: D7C63D51
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: D7C63D

The problem is I can't find where on the system the users logon
details are being kept as they only used once, some time ago - I've
checked the profiles, all registry, searched files based on name and
content. I also can't figure out which process is involved in trying
logon. This one is driving me mad, any ideas will be gratefully
received.

Does this happen during the boot-up phase of the rogue
PC? If so then it could be a scheduled task. Check the
Task Scheduler.

Does it happen during the logon stage of the rogue PC?
If so then it could be something in the Startup subfolder
of the "All users" folder or of the specific user's profile
folder.

You should also check your startup policy:
Run GPEDIT.MSC, then open up
- Local Computer Policy
- Computer Configuration
- Windows Settings
- Scripts (Startup / Shutdown)

 

[Nightowl]

The problem is I can't find where on the system the users logon
details are being kept as they only used once, some time ago - I've
checked the profiles, all registry, searched files based on name and
content. I also can't figure out which process is involved in trying
logon. This one is driving me mad, any ideas will be gratefully
received.

Could possibly be a stored password. . . In Control Panel | User
Accounts, choose Change an account, click the offending account, then
Manage my Network Passwords.