User locked out with event 537 under type 11 logon

[Gijtech]

I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.

 

[Steven L Umbach]

Open Local Security Policy on his computer and then go to local policies/security options and make sure
that it shows zero as the number of previous logons to cache to see if that helps. --- Steve
I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.

 

[Gijtech]

I'm not sure why the system would cache inaccurate logon credentials, but have tweaked the setting in the local security policy. we'll see what happens.
Open Local Security Policy on his computer and then go to local policies/security options and make sure
that it shows zero as the number of previous logons to cache to see if that helps. --- Steve
I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.

 

[Gijtech]

well that didn't work. still getting the same one fail lockout. with the cached logon disabled.
Open Local Security Policy on his computer and then go to local policies/security options and make sure
that it shows zero as the number of previous logons to cache to see if that helps. --- Steve
I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.

 

[Gijtech]

I am still encountering this issue if anyone has a fix I would appreciate it.
I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.

 

[Steven L Umbach]

I am pretty much at a loss to explain it but does the application log on that computer show any problems with Group Policy being applied which usually shows as userenv warning/error event IDs? Try logging onto that computer as a local administrator and run the support tool netdiag to see if any problems are found with dns, domain membership, dc discovery, trust/secure channel etc and verify that it is pointing to only domain controllers as preferred dns servers as shown by the ipconfig /all command. --- Steve


I am still encountering this issue if anyone has a fix I would appreciate it.
I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.

 

[Gijtech]

Steve,

have only one DNS server wich is a domain controler and the client is set to use said as primary. there is one set of Group policy related errors involving Folder Redirection. error is as follows:

Date: [date stamp] Source: Folder Redirection
Time: [time stamp] Category: None
Type: Error Event ID: 101
user: domain\username
computer: computer name
description:
Failed to perform redirection of folder My Documents. The new directories for the redirected folder could not be created. The folder is configured to be redirected to <\\Servername\files>, the final expanded path was <\\servername\files>. The following error occurred:
This security ID may not be assigned as the owner of this object.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

this one is followed up by an Event id: 1085 stating that folder redirection failed to ecicute.

we have this on all of the corporate pc's as the domain admin as chosen to redirect all users to this location as a default then allowing them to choose the exact location to which they wish to save on the file server. it does actualy make the systems use \\servername\files as their My Documents Folder even though we see error messages as a result of the users not having full controle or ownership of the file.


I am pretty much at a loss to explain it but does the application log on that computer show any problems with Group Policy being applied which usually shows as userenv warning/error event IDs? Try logging onto that computer as a local administrator and run the support tool netdiag to see if any problems are found with dns, domain membership, dc discovery, trust/secure channel etc and verify that it is pointing to only domain controllers as preferred dns servers as shown by the ipconfig /all command. --- Steve


I am still encountering this issue if anyone has a fix I would appreciate it.
I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.

 

[Steven L Umbach]

Well that does not appear related. Did you have a chance to run netdiag on that computer and did that test pass I flying colors? Beyond that I am stumped also. --- Steve
Steve,

have only one DNS server wich is a domain controler and the client is set to use said as primary. there is one set of Group policy related errors involving Folder Redirection. error is as follows:

Date: [date stamp] Source: Folder Redirection
Time: [time stamp] Category: None
Type: Error Event ID: 101
user: domain\username
computer: computer name
description:
Failed to perform redirection of folder My Documents. The new directories for the redirected folder could not be created. The folder is configured to be redirected to <\\Servername\files>, the final expanded path was <\\servername\files>. The following error occurred:
This security ID may not be assigned as the owner of this object.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

this one is followed up by an Event id: 1085 stating that folder redirection failed to ecicute.

we have this on all of the corporate pc's as the domain admin as chosen to redirect all users to this location as a default then allowing them to choose the exact location to which they wish to save on the file server. it does actualy make the systems use \\servername\files as their My Documents Folder even though we see error messages as a result of the users not having full controle or ownership of the file.


I am pretty much at a loss to explain it but does the application log on that computer show any problems with Group Policy being applied which usually shows as userenv warning/error event IDs? Try logging onto that computer as a local administrator and run the support tool netdiag to see if any problems are found with dns, domain membership, dc discovery, trust/secure channel etc and verify that it is pointing to only domain controllers as preferred dns servers as shown by the ipconfig /all command. --- Steve


I am still encountering this issue if anyone has a fix I would appreciate it.
I have a user logging in to the domain from a Win xp sp2 system, who after successfully logging into the domain then logs on to our intranet views an office document then enters the back command and finds his account locked out.

looking at the event log on the users system reveals one entry of
Logon Failure: Reason: An error occurred during logon
User Name: username
Domain: domain
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name
Status code: 0xC000005E
Substatus code: 0x0

followed by

Logon Failure:Reason: Account locked out
User Name: username
Domain: domain
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: computer name

at this point the user calls and we rest the account. user lockout is set for 5 fails not 1. we have hklm\Software\Microsoft\Windows NT\Current Version\Winlogon\cachedlogonscount set to 0 so I am at a loss as to why the system is attempting to use a cachedinteractive logon, and why is it failing w/ only one attempt.