17. března 2012 0:09
Mainly Windows 7 and some 2008 R2 machines with a 2003 Domain controller.
I, get frequent account lockouts. Two weeks ago i decided to rebuild by PC image to remove the possibility of some artifact on my PC contributing to this. I did the normal things before this of ensuring no mapped drives with passwords and looking at the secure store.
My account lockouts though lower are still happening.
I don't have access to the domain controller due to IT policies. IT are reluctant to spend any time on the issue for one person.
I was the one that created the images that got cloned onto our development laptops and desktops (using Ghost). I believed at the time the images did not have traces of me...
I have a list of machines which are using my credentials from a DC event dump done 2 days after i re-imaged my desktop.
>> is their something i can install / enable on the client side, to determine why myself or other laptops (in particular) are using my account ?
IP Event Codes
myself 673 0x12; 675 0x12, 0x18, 0x19; 680 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
xx.yyy.16.183 675 0x12 0x18
xx.yyy.16.206 675 0x18 0x19
xx.yyy.16.39 675 0x19 ; 672 0x17
xx.yyy.16.12 675 0x19
xx.yyy.17.166 675 0x12
xx.yyy.16.234 675 0x12, 0x18 & 0x19
xx.yyy.17.19 675 0x18 & 0x19
xx.yyy.17.19 675 0x18 & 0x19
xx.yyy.17.70 675 0x18 & 0x19
xx.yyy.18.170 672 0x17
19. března 2012 2:52
It sounds like after the Ghost image is applied it is using your account details to try and either logon to the laptop/pc or join the domain with them automatically. Either way, this will lock your account if you have changed your password since the image was built.
When you created the image, was it domain connected at the time? Best practice is to create images with the local Administrator account prior to joining to the domain. This avoids any unnecessary login attempts that will lock out your account.
Important: Dont forget to update the SID of the new pc's as the image will continue to use the original SID and can cause issues when trying to join a domain.
Hope this helps
19. března 2012 11:22
I appreciate the answer and it makes sense, but on the issue of client side logging ?
19. března 2012 19:21
Have you looked at Account Lockout and Management Tools?
Also, you can enable advanced security logging on the Win7 boxes by GPO.
- Označen jako odpověď Greg B Roberts 20. března 2012 0:58
20. března 2012 1:03
In my case i am not interested in polocies, rather what is happening. The management tools by in large need DC access however i found the "Lockoutstatus.exe" tool does work client side and shows the time of the current lockout, but does not identify why this happened.
I have marked this as answered as i think i won't be able to get much further on the client side.
20. března 2012 8:33
Part of ALMT is "Alockout.dll" which can tell you which program is sending the bad creds locally.