Re-occuring Administrator User Account Lockout

G

Guest

Every week at approximately the same time, I notice one of the accounts in
my Administrators group gets locked out. Checked the Sec logs and find the
following entry:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 676
Date: 9/26/2005
Time: 12:51:39 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Authentication Ticket Request Failed:
User Name: admnstr
Supplied Realm Name: DOMAINA
Service Name: krbtgt/DOMAINA
Ticket Options: 0x40810010
Failure Code: 0x12
Client Address: 127.0.0.1



How can I determine what is causing this and where its coming from?
 
P

Paul Bergson

Is this user logged into more than one machine? Usually what happens is a
user has mapped drives to a resource from one machine, on a different
machine he changes his password and then the first machine attempts to stay
mapped to a drive and the password is no longer correct and eventually locks
the user out.

To help try and track down where the account is getting locked out use
eventcomboMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/...familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
 
M

Mr P

Failure Code 12 means that the logon failed because of time-of-day or
workstation restrictions. 127.0.0.1 means from itself.

Mark
 
M

Mr P

Check the scheduler service with an AT command and see if any rogue
jobs are listed.

Mark
 
P

Paul Bergson

I guess I should have read down to the failure code. Right on it is this
machine. Nice work.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 
G

Guest

I had already checked to see if there were any scheduled task causing this,
and there are not.

The account locked out again this morning. The Security log showed 3
instances of the following prior to it locking out:


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 9/28/2005
Time: 7:50:59 AM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
The logon to account: admnstr
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation:
failed. The error code was: 3221226036
 
P

Paul Bergson

Open up services and sort on "Logon As" and see if this user is running as a
service.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

AUDIT FAILURE 1
Events 675 676 677 1
All domain Accounts being locked out 4
Failure audit recurs for Vista system being merged to Win 2K domai 1
Event ID 676 Logged 1
Event ID 676 5
Service Ticket Request Failed 1
acct lockouts after changing passwords 1

Top