Administrator accounts lockout
-
Wednesday, February 20, 2013 1:24 PM
Have this Windows 7 Enterprise 64 bit client that locked both admin accounts. Not sure what user did and event logs don't provide much help.
Information 2/14/2013 4:08:23 AM Microsoft-Windows-Security-Auditing 4740 User Account Management "A user account was locked out.
Subject:
Security ID: S-1-5-18
Account Name: USS-GUBL06N$
Account Domain: WORKGROUP
Logon ID: 0x3e7Account That Was Locked Out:
Security ID: S-1-5-21-1775545812-815017386-2178218503-1003
Account Name: buadminAdditional Information:
Caller Computer Name: USS-GUBL06N"
Information 2/14/2013 4:05:38 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.Subject:
Security ID: S-1-5-18
Account Name: USS-GUBL06N$
Account Domain: WORKGROUP
Logon ID: 0x3e7Logon Type: 5
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x20c
Process Name: C:\Windows\System32\services.exeNetwork Information:
Workstation Name:
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 2/14/2013 4:05:38 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 2/14/2013 4:05:37 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.Subject:
Security ID: S-1-5-18
Account Name: USS-GUBL06N$
Account Domain: WORKGROUP
Logon ID: 0x3e7Logon Type: 5
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x20c
Process Name: C:\Windows\System32\services.exeNetwork Information:
Workstation Name:
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 2/14/2013 4:05:37 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 2/14/2013 4:05:35 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.Subject:
Security ID: S-1-0-0
Account Name: -
Account Domain: -
Logon ID: 0x0Logon Type: 3
New Logon:
Security ID: S-1-5-7
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x384e5
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x0
Process Name: -Network Information:
Workstation Name:
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 2/14/2013 4:05:05 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.Subject:
Security ID: S-1-5-18
Account Name: USS-GUBL06N$
Account Domain: WORKGROUP
Logon ID: 0x3e7Logon Type: 5
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x20c
Process Name: C:\Windows\System32\services.exeNetwork Information:
Workstation Name:
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
Information 2/14/2013 4:05:05 AM Microsoft-Windows-Security-Auditing 4672 Special Logon "Special privileges assigned to new logon.Subject:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7Privileges: SeAssignPrimaryTokenPrivilege
SeTcbPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeImpersonatePrivilege"
Information 2/14/2013 4:05:00 AM Microsoft-Windows-Security-Auditing 4624 Logon "An account was successfully logged on.Subject:
Security ID: S-1-5-18
Account Name: USS-GUBL06N$
Account Domain: WORKGROUP
Logon ID: 0x3e7Logon Type: 5
New Logon:
Security ID: S-1-5-18
Account Name: SYSTEM
Account Domain: NT AUTHORITY
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-000000000000}Process Information:
Process ID: 0x20c
Process Name: C:\Windows\System32\services.exeNetwork Information:
Workstation Name:
Source Network Address: -
Source Port: -Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0This event is generated when a logon session is created. It is generated on the computer that was accessed.
The subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The logon type field indicates the kind of logon that occurred. The most common types are 2 (interactive) and 3 (network).
The New Logon fields indicate the account for whom the new logon was created, i.e. the account that was logged on.
The network fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Logon GUID is a unique identifier that can be used to correlate this event with a KDC event.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested."
All Replies
-
Thursday, February 21, 2013 12:24 AM
I would have a look here:
I encountered a similar issue before only mine was happening after re-joining the machine to the domain. One of my Admin accounts kept getting locked.
PLEASE MARK ANY ANSWERS TO HELP OTHERS Blog: rorymon.com Twitter: @Rorymon
-
Thursday, February 21, 2013 12:29 AM
Often this happens, if a service is started in the context of the logged off user account and after a password change for that account changing the password entry in the service management interface or the application, which initiated the entry, got forgotten.
So on the Windows 7 machine run services.msc, and check the logon credentials for services.
Malware trying to gain access could be another reason.
Best greetings
Olaf- Edited by Olaf EngelkeMVP Thursday, February 21, 2013 12:31 AM
-
Monday, February 25, 2013 1:00 PM
Unfortunately we are mandated to set the Account lockout threshold to 3. We were hoping the issue we're seeing now wasn't related to the lockout threshold. As it stands now we've had to hide the 'Add or remove user account' feature in the control panel because of the threshold. Adding a user through the control panel locks out the administrator accounts.
-
Monday, February 25, 2013 2:20 PM
Hi,
do you use the same user names for the local and for the domain administrator account in this case, but with different password? (i.e. logged in locally with account workstation\administrator - which is not a good idea to do and having a domain account administrator with different password)
If you start to create a domain user account from the local machine, it attempts to log on the current credentials, but will fail to do so due to the different password (as will fail each access to a domain resource). This would lead to the logout in context with the threshold.
On domain member computers you should use local accounts only for troubleshooting. For domain administration tasks like user account management I personally prefer a remote desktop session to a domain controller, since this circumvents the need to logon locally as domain administrator on a client, which is potentially malware infected.
Best greetings from Germany
Olaf- Edited by Olaf EngelkeMVP Monday, February 25, 2013 2:21 PM
- Marked As Answer by Alex ZhaozxMicrosoft Contingent Staff, Moderator Thursday, February 28, 2013 7:12 AM
-
Monday, March 04, 2013 6:31 PM
Our customers either use our WIM in a stand alone environment or on the domain. It all depends on the situation they intend to use the machine. I believe this user was testing our WIM and software applications in a stand alone capacity. It looks like he installed our Windows 7 WIM and then installed some commerical off the shelf applications. After the applicaitons installed the machine rebooted and the accounts were locked out.
.png)
