none
The referenced account is currently locked out and may not be logged on to.

    Question

  • Hi there...One of the admin account is getting this message "The referenced account is currently locked out and may not be logged on to" every day frequently when logging in to Windows 7 / Server 2008. I also checked the account lockout...I didnt make any changes for a long time. This admin account was fine, without getting this message last week...but towards the end of the month, I reset the password for this account. It started to happen after that. Again today after that happened, I checked the account lockout policy in AD, its set the same as it was before...is there anyway we can stop that happening frequently everyday....pls let me know.

    VT

    Thursday, May 03, 2012 2:33 PM

Answers

  • The problem you are using is with the account you are using to logon with, the SID is "Nobody"

    See here:http://support.microsoft.com/kb/243330

    Suggest you create a new user account and try again.

    • Marked as answer by mywindows Tuesday, May 15, 2012 7:41 PM
    Thursday, May 10, 2012 4:03 AM
  • Hi,

    I also notice that the log mentioned the SID is null. Please try the Richard's suggestion to create a new account.


    Juke Chou

    TechNet Community Support

    • Marked as answer by mywindows Tuesday, May 15, 2012 7:41 PM
    Thursday, May 10, 2012 6:08 AM
    Moderator
  • It could be that your server was created from an image that didn't generate new SID's, you can check your machines sid with http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

    Also, you check your local security policy property "Network Access: Sharing and security model for local accounts" found under "Security Options"  - should be at the default setting of "Classic - local users authenticate as themselves"

    • Marked as answer by mywindows Tuesday, May 15, 2012 7:41 PM
    Thursday, May 10, 2012 6:48 AM

All replies

  • 1. Are there any traces in Event logs?

    2. Try to disable and enable this domain account in domain controller.

    Regards

    Milos

    Friday, May 04, 2012 8:09 AM
  • Hi,

    The issue can occur if you have mistyped the password several times and the system will block the account for logging on.

    In this case, I suggest checking the following settings:

    1. Open Control Panel -> Administrative Tools -> Local Security Policy.

    2. Click Security Settings -> Account Policies -> Account Lockout Policy.

    3. Double-click Account lockout threshold, and type 0 to make “the account will not lock out”.

    4. Click OK.

    Juke Chou
    TechNet Subscriber Support
    If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.


    Juke Chou

    TechNet Community Support

    Friday, May 04, 2012 9:43 AM
    Moderator
  • Perhaps if W 7/W2K8 are part of domain, then there is alternative group policy setting(s). What is set locally in group policy may be disregarded in subsequent GPO settings according to LSDOU rule.

    Your problem is not common to the default setting. It is helpful for troubleshooting to know the domain configuration/GPO (resulting set of GPO).

    Regards

    Milos

    Friday, May 04, 2012 1:56 PM
  • Here is the event log entries, which is happening in the frequency of 9:03AM - 8:45AM - 8:38AM - 8:34AM - 8:03AM - 7:37AM (last 3 days since I changed the password)

    I am sure, its only for one admin ID and there was no changes made in Group Policy in AD (Yes, W7 & Win2K8 are part of the domain) and once I login, I checked the account in the AD, its not locked or disabled. Pls let me know any solutions.

    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          5/4/2012 8:48:36 AM
    Event ID:      4625
    Task Category: Account Lockout
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      server.domain.com
    Description:
    An account failed to log on.

    Subject:
     Security ID:  NULL SID
     Account Name:  -
     Account Domain:  -
     Logon ID:  0x0

    Logon Type:   3

    Account For Which Logon Failed:
     Security ID:  NULL SID
     Account Name:  admin1
     Account Domain:  domain

    Failure Information:
     Failure Reason:  Account locked out.
     Status:   0xc0000234
     Sub Status:  0x0

    Process Information:
     Caller Process ID: 0x0
     Caller Process Name: -

    Network Information:
     Workstation Name: server
     Source Network Address: -
     Source Port:  -

    Detailed Authentication Information:
     Logon Process:  NtLmSsp
     Authentication Package: NTLM
     Transited Services: -
     Package Name (NTLM only): -
     Key Length:  0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
     - Transited services indicate which intermediate services have participated in this logon request.
     - Package name indicates which sub-protocol was used among the NTLM protocols.
     - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4625</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12546</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-05-04T14:48:36.387224800Z" />
        <EventRecordID>5256027</EventRecordID>
        <Correlation />
        <Execution ProcessID="568" ThreadID="23972" />
        <Channel>Security</Channel>
        <Computer>server.domain.com</Computer>
        <Security />
      </System>
      <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="TargetUserSid">S-1-0-0</Data>
        <Data Name="TargetUserName">admin1</Data>
        <Data Name="TargetDomainName">domain</Data>
        <Data Name="Status">0xc0000234</Data>
        <Data Name="FailureReason">%%2307</Data>
        <Data Name="SubStatus">0x0</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">NtLmSsp </Data>
        <Data Name="AuthenticationPackageName">NTLM</Data>
        <Data Name="WorkstationName">Server</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x0</Data>
        <Data Name="ProcessName">-</Data>
        <Data Name="IpAddress">-</Data>
        <Data Name="IpPort">-</Data>
      </EventData>
    </Event>


    VT

    Friday, May 04, 2012 3:20 PM
  • Hi Juke / Milos any solutions pls let me know


    VT

    Monday, May 07, 2012 12:55 PM
  • Hi,

    I found a troubleshooting guide, please refer to the acrticle to troubleshoot your issue.

    http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx


    Juke Chou

    TechNet Community Support

    Tuesday, May 08, 2012 10:06 AM
    Moderator
  • A couple of other things to check:

    1. Check the status of this account on each of the DC's - it appears it IS locked out, but you are not seeing it on the one you check

    2. Check the account is not being used to run any services, there are no mapped drives using an old password, and no other scripts or scheduled tasks running with these credentials

    Tuesday, May 08, 2012 12:30 PM
  • Hi Juke & Richard...thanks for the input....I checked and found that there was a service using that admin account, hence I changed that. Even after that, I found the same thing happening in the same time frequency. I also tried to reset to the old password which didnt have any issue last month...but today, I checked its still the same. Another thing I tried is, used the eventcombMT tool and found this log...any clue please let me know...or any other recommendation, let me know...

    4625,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Wed May 09 16:28:00 2012,No User,An account failed to log on.    Subject:   Security ID:  S-1-0-0   Account Name:  -   Account Domain:  -   Logon ID:  0x0    Logon Type:   3    Account For Which Logon Failed:   Security ID:  S-1-0-0   Account Name:  admin   Account Domain:  domain    Failure Information:   Failure Reason:  %%2307   Status:   0xc0000234   Sub Status:  0x0    Process Information:   Caller Process ID: 0x0   Caller Process Name: -    Network Information:   Workstation Name: client1   Source Network Address: 192.x.x.19   Source Port:  1380    Detailed Authentication Information:   Logon Process:  NtLmSsp    Authentication Package: NTLM   Transited Services: -   Package Name (NTLM only): -   Key Length:  0    This event is generated when a logon request fails. It is generated on the computer where access was attempted.    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).    The Process Information fields indicate which account and process on the system requested the logon.    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.    The authentication information fields provide detailed information about this specific logon request.   - Transited services indicate which intermediate services have participated in this logon request.   - Package name indicates which sub-protocol was used among the NTLM protocols.   - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. 


    VT

    Thursday, May 10, 2012 12:10 AM
  • The problem you are using is with the account you are using to logon with, the SID is "Nobody"

    See here:http://support.microsoft.com/kb/243330

    Suggest you create a new user account and try again.

    • Marked as answer by mywindows Tuesday, May 15, 2012 7:41 PM
    Thursday, May 10, 2012 4:03 AM
  • Hi,

    I also notice that the log mentioned the SID is null. Please try the Richard's suggestion to create a new account.


    Juke Chou

    TechNet Community Support

    • Marked as answer by mywindows Tuesday, May 15, 2012 7:41 PM
    Thursday, May 10, 2012 6:08 AM
    Moderator
  • Thanks Richard and Juke...will try that...any clues what would have caused to change that? as it was fine till last month end. Pls let me know....is there a way I can find what changed it?

    VT


    • Edited by mywindows Thursday, May 10, 2012 6:18 AM
    Thursday, May 10, 2012 6:17 AM
  • It could be that your server was created from an image that didn't generate new SID's, you can check your machines sid with http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx

    Also, you check your local security policy property "Network Access: Sharing and security model for local accounts" found under "Security Options"  - should be at the default setting of "Classic - local users authenticate as themselves"

    • Marked as answer by mywindows Tuesday, May 15, 2012 7:41 PM
    Thursday, May 10, 2012 6:48 AM
  • Hi,

    Any update?


    Juke Chou

    TechNet Community Support

    Monday, May 14, 2012 9:52 AM
    Moderator
  • Hi Juke...created another user and it works fine...thanks for Richard and your help

    VT

    Tuesday, May 15, 2012 7:41 PM
  • Hi,

    Welcome :)

    Glad to hear it works.


    Juke Chou

    TechNet Community Support

    Wednesday, May 16, 2012 6:42 AM
    Moderator
  • Sorry, I know this is an old topic, but what worked for me was disabling and re-enabling the domain account.
    Thursday, March 21, 2013 7:40 PM
  • Sorry, I know this is an old topic, but what worked for me was disabling and re-enabling the domain account.

    Worked for me as well - thanks very much.

    itswt

    Tuesday, September 10, 2013 1:16 PM
  • Ok, I reviewed that keyboard language changes and for that I was mistyped the password several times until have this error message, but now as it is blocked I can loggin.

    How many time I need wait to try again?

    Because I only have a unique admin account and I can not open Windows in any other way. Or how I can force to open windows?

    Thursday, July 10, 2014 1:47 PM
  • Ok, I reviewed that keyboard language changes and for that I was mistyped the password several times until have this error message, but now as it is blocked I can loggin.

    How many time I need wait to try again?

    Because I only have a unique admin account and I can not open Windows in any other way. Or how I can force to open windows?

    Again!!! How much time is it necessary to wait before trying again, or are they completely locked out???

    Thursday, July 17, 2014 9:12 PM
  • Hi David - if it is a local account is not going to unlock itself - only domain accounts do this. If its a domain account, follow the guidance above and let us know what steps you followed (new account, change to security policies etc)

    You can rebuild the OS, or, if you really have to get access to obtain data, you may find resources on the internet to enable a hack around the password, but I wouldn't trust it after doing that and would recommend you rebuild anyway.

    Thursday, July 17, 2014 9:31 PM