none
User's account keeps getting locked out, but why?

    Question

  • I have a user that has been having his account locked out for the past few weeks now.  Luckily he's not a heavy user since he's in maintenance and never really on his system.  But I would still like to get it figured out because it is becoming an annoyance.  His account will get locked out when he's not even logged in anywhere or in the building.  

    I've checked everything I can think of and ran virus scans, etc. on his system and everything is clean.  I read that a hung remote session is common, but he does not do that.  Like I said, he barely uses his desktop as it is, let along remoting into another system for some reason.  

    I enabled auditing and found when the account was getting locked and when it was denied, but they do not help me to find the source.  I'm hoping someone here can help me read these files and point me in the right direction.  Thanks in advance!

     

    Event Type: Failure Audit

    Event Source: Security

    Event Category: Logon/Logoff 

    Event ID: 529

    Date: 3/23/2011

    Time: 5:56:55 PM

    User: NT AUTHORITY\SYSTEM

    Computer: XXXDC01

    Description:

    Logon Failure:

      Reason: Unknown user name or bad password

      User Name: XXX

      Domain: XXX

      Logon Type: 3

      Logon Process: CHAP

      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

      Workstation Name:

      Caller User Name: XXXDC01$

      Caller Domain: XXX

      Caller Logon ID: (0x0,0x3E7)

      Caller Process ID: 832

      Transited Services: -

      Source Network Address: -

      Source Port: -

     

    Event Type: Failure Audit

    Event Source: Security

    Event Category: Account Logon 

    Event ID: 680

    Date: 3/23/2011

    Time: 5:57:55 PM

    User: NT AUTHORITY\SYSTEM

    Computer: XXXDC01

    Description:

    Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

     Logon account: XXX

     Source Workstation:

     Error Code: 0xC0000234

     

    Event Type: Failure Audit

    Event Source: Security

    Event Category: Logon/Logoff 

    Event ID: 539

    Date: 3/23/2011

    Time: 5:57:55 PM

    User: NT AUTHORITY\SYSTEM

    Computer: XXXDC01

    Description:

    Logon Failure:

      Reason: Account locked out

      User Name: XXX

      Domain: XXX

      Logon Type: 3

      Logon Process: CHAP

      Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

      Workstation Name:

      Caller User Name: XXXDC01$

      Caller Domain: XXX

      Caller Logon ID: (0x0,0x3E7)

      Caller Process ID: 832

      Transited Services: -

      Source Network Address: -

      Source Port: -

     

    Friday, March 25, 2011 10:39 PM

Answers

All replies