none
Broken Domain

    Question

  • Hello,

    I currently have a domain that will give the error message "the user name or password is incorrect" to all domain users on all machines except for the domain controller. Local accounts work on all these machines but domain ones do not. If anyone has any advice or questions please let me know.

    Thanks In Advance

    What I have tried:

    Resetting the password: I changed the password which did nothing. I then changed the password and set it to be changed at next logon. I was prompted to give it a new password when I signed in to a server. I gave it a new password and when I hit enter I got the same "user name or password is incorrect"

    Error Messages:

    Error message from logon:

    An account failed to log on.

    Subject:

    Security ID:  SYSTEM

    Account Name:  CAR$

    Account Domain:

    Test

    Logon ID:  0x3e7

    Logon Type: 10

    Account For Which Logon Failed:

    Security ID:  NULL SID

    Account Name:  Testuser

    Account Domain:

    Test

    Failure Information:

    Failure Reason:

    The specified account's password has expired.

    Status:  0xc0000224

    Sub Status:  0x0

    Process Information:

    Caller Process ID:

    0x1984

    Caller Process Name:

    C:\Windows\System32\winlogon.exe

    Network Information:

    Workstation Name:

    CAR

    Source Network Address:

    172.16.2.40

    Source Port:  61600

    Detailed Authentication Information:

    Logon Process:

    User32

    Authentication Package:

    Negotiate

    Transited Services:

    -

    Package Name (NTLM only):

    -

    Key Length:  0


    • Edited by wave2453 Wednesday, March 22, 2017 5:09 PM
    Wednesday, March 22, 2017 3:48 PM

Answers

  • Also you should check the DC health,run "dcdiag" then analyse the results.And As far as I can remember similar situation cause of a network virus,this was lock all user accouts.(also you should check this odds).

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 22, 2017 8:28 PM
  • You need to drill down to see what is the problem:

    • First, if you see any strange errors in event viewer you need to fix that problem. Since we have no idea what is going on at your environment, I think you can have a look at event viewer and see what is in there and try to solve the strange isues.
    • Second, what is the status of replication? are domain controllers in sync and when you run repadmin, you see any errors?
    • Can you fire up a test additional domain controller so we can find out if  a DC is corrupted or not?
    • Have you ever tries to logon with a newly created user account on a fresh installed OS?


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Thursday, March 23, 2017 3:10 AM
    Moderator

All replies

  • Hi

     First you should investigate the lockout source.

    Also these are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    And just re-join a computer to domain then check situation.


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 22, 2017 7:59 PM
  • That is a good thought. However, it is all accounts that can't access any machine. I have even created new accounts trying to pin down the problem. Since no account not even new ones can sign on to any machine besides the DC it leads me to believe it is no the accounts that are "locked".

    I looked at the domain controller logs and it isn't even getting the request for a sign in. This makes me think that there is something wrong with the machine accounts in AD. The machines can ping the DC and communicate openly with them it just isn't sending it authentication requests. Or if it is the DC isn't getting them. It may be the SID's have been corrupted. I have reset the AD accounts of the computers and will reboot a server tonight to see if that resolves the issue. If anyone else has any ideas I am open to all suggestions.

    Wednesday, March 22, 2017 8:13 PM
  • Also you should check the DC health,run "dcdiag" then analyse the results.And As far as I can remember similar situation cause of a network virus,this was lock all user accouts.(also you should check this odds).

    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Wednesday, March 22, 2017 8:28 PM
  • You need to drill down to see what is the problem:

    • First, if you see any strange errors in event viewer you need to fix that problem. Since we have no idea what is going on at your environment, I think you can have a look at event viewer and see what is in there and try to solve the strange isues.
    • Second, what is the status of replication? are domain controllers in sync and when you run repadmin, you see any errors?
    • Can you fire up a test additional domain controller so we can find out if  a DC is corrupted or not?
    • Have you ever tries to logon with a newly created user account on a fresh installed OS?


    Mahdi Tehrani | | www.mahditehrani.ir
    Make sure to download my free PowerShell scripts:

    Thursday, March 23, 2017 3:10 AM
    Moderator