none
Unable to find the source of Account Lockout RRS feed

  • Question

  • Hi,

    I have an user account which locks out almost everyday in AD & Security logs from Domain Controller indicates the caller computer name is the exchange server. When I look into the exchange server Security Logs I can see there are multiple failed logins but it gives me no specific info about from where is this originating from.

    Is there any way that I can find the culprit?

    Exchange Server Log:

    Event ID (4625)

    Event ID (4776)

    The computer attempted to validate the credentials for an account.
    Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account:    testuser
    Source Workstation: MyExchangeServer
    Error Code:    0xc0000064

    Many Thanks in advance,

    Asiri


    • Edited by Asiri_Kai Friday, September 20, 2019 2:42 AM
    Friday, September 20, 2019 2:42 AM

All replies

  • Hello,
    Thank you for posting in our Technet forum.

    From the Event ID 4776, we can see, if the 4740 event log is followed by the 4776 event log, the NTLM authentication protocol is used when the account is locked.




    From the article 4776(S, F): The computer attempted to validate the credentials for an account., we can see:
    0xC0000064 The username you typed does not exist. Bad username.


    So we can logon MyExchangeServer with testuser account and check the following points:

    1.Check credential management to see if there are old credentials for caching users.
    2.Check if there is an incorrect credentials to mount the disk.
    3.Check whether the user's credentials is used to start the service, run the scheduled tasks, etc.
    4.Are there any other tri-equation caches with user's error credentials.


    If the problem still exists, then we can also try to open Audit Logon Events - Failure audit on this computer, and check whether there is a 4625 event log when the account is locked, and if there is a record, see if we can get other client addresses.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 23, 2019 3:51 AM
    Moderator
  • Hi Daisy,

    Thanks for the input

    This account (testuser) is being used to send bulk emails to clients & what I'm suspecting is a schedule task is causing this. Unfortunately it's hard to find the source of this task. In our exchange server the Audit logs are already enabled & there is Failure Audit (4625) for the same account.




    • Edited by Asiri_Kai Tuesday, September 24, 2019 4:03 PM
    Tuesday, September 24, 2019 3:49 PM
  • Hi,
    After I checked the above screenshot carefully, I find the Microsoft.Exchange.Imap4.exe process locked out our account.




    1. What does this process do?
    2. Can we stop this process to check if it helps?




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, September 25, 2019 10:00 AM
    Moderator
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, September 27, 2019 1:21 AM
    Moderator
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.

    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, September 30, 2019 10:00 AM
    Moderator
  • Hi,

    Not resolved yet.

    imap4 as per my knowledge is used to provide email services to applications that doesn't support exchange. I'm not comfortable stopping it. It's not only the imap4, later I found EdgeTransport.exe also with 4625

    Failure Information:
        Failure Reason:        Unknown user name or bad password.
        Status:            0xc000006d
        Sub Status:        0xc000006a

    Process Information:
        Caller Process ID:    0x456c
        Caller Process Name:    C:\Program Files\Microsoft\Exchange Server\V14\Bin\EdgeTransport.exe

    Tuesday, October 1, 2019 8:46 AM
  • Hi,
    We can try to stop them one by one if we can, then check whether one of them lock the user account.

    Then we can start the process after we troubleshoot.


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 2, 2019 6:46 AM
    Moderator
  • Both the processes are important for exchange server functionality so stopping them is not an ideal option for me.
    Friday, October 4, 2019 2:07 AM
  • Hi,
    Because the locked source is about Exchanged server,  I suggest you submit a service request to MS Professional tech support service so that a dedicated support professional can further assist you with this request.

    The following web site for more detail of Professional Support Options and incident submission methods is for your reference:

    https://social.technet.microsoft.com/Forums/office/en-us/home?category=exchangeserver


    Thank you for you understanding and support.




    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 4, 2019 4:32 AM
    Moderator