User account locked out

G

Guest

Hello,

In our company, Active Directory many user accounts are being locked out
while the corresponding users are working on PCs with Windows 2000
professional SP4.

The domain account lockout policy is configured to lock out the user acocunt
after 3 wrong passwords.

When asked, users say they did not consciously entered their username or
password to logon to another system. Sometimes, the accounts are even locked
out when they were in a meeting and the Windows session was locked.
Furthermore, user's confirm they do not work on more than one PC
simultaneously.

The computers's local security event log shows three times the following
event at 4 seconds interval:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User:NT AUTHORITY\SYSTEM
Computer: COMPUTER1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: USER1
Domain: OUR_DOMAIN
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: COMPUTER1

And then

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER1
Description:
Logon Failure:
Reason: Account locked out
User Name: EGE
Domain: OUR_DOMAIN
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: GV2W280

The security event log on one of our Windows 2003 SP1 domain controllers
show event 644 ("User Account Locked Out"). User's PC is mentioned in the
event as "Caller Machine Name".

I even activated notlogon tracking on the domain controllers and the
nelogon.log shows that user account is always being locked out FROM user's
computer.

My question: has someone an idea on what I can do to troubleshoot what is
actually sending from user's Windows session an authentication request to the
domain controllers with their username and a wrong password ?

Any help would be very much appreciated

Ezéchiel Darvas
Switzerland
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top