locked
Domain Accounts are locked out by a machine with blank name RRS feed

  • Question

  •  

    Due to the a recent outbreak of the virus “Conficker”, we registered constant domain account lockouts. Investigating the Eventlog (Event:664, Source:Security), we found multiple events where the attribute “Caller Machine name” is blank. Normally every event is associated to a specific computer/server, but not in this specific messages. Example:

     

    Severity:  Information

    Source:  Security

    Name:  Ev644 – Account Lock out DC

    Description:  User Account Locked Out:

            Target Account Name:    <User>

            Target Account ID:      %{S-1-5-21-xxxxxxxxxxx-xxxxxxxxx-xxxxxxxxxx-xxxx}

            Caller Machine Name:

            Caller User Name:       <Machine>$

            Caller Domain:  <DOMAIN>

            Caller Logon ID:        (0x0,0x3E7)

     

    Domain:  <DOMAIN>

    Agent:  <AGENT>

    Time:  1/22/2009 15:34:42

     

    If anyone had some similar experiences, I would be happy to get some root-cause analysis or any recommendation how to resolve this issue.

     

    Thank you very much for your help.


    Jorge Arroyave
    Friday, January 23, 2009 10:49 PM

Answers

  • Hi,

    The blank name may occur if the Event was from local computer or some system services. It’s not critical for troubleshooting.

    You can logon several DC to check more events to narrow down the cause of this issue. You can also check the user’s name to narrow down the computer.

    You can use the following tools to troubleshoot this issue.

    Account Lockout and Management Tools
    http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    How to use the EventCombMT utility to search event logs for account lockouts
    http://support.microsoft.com/kb/824209

    Thanks.


    This posting is provided "AS IS" with no warranties, and confers no rights.
    • Marked as answer by Mervyn Zhang Friday, January 30, 2009 1:11 AM
    Monday, January 26, 2009 9:06 AM