Remove From My Forums

account lockout

Question
0

Sign in to vote

hi all

some of my service account like backup,printer etc are automatically account lockout happening with following event id

please help

An account failed to log on.

Subject:

                Security ID:                            SYSTEM

                Account Name:                     ADCSRV$

                Account Domain:                 DOM

                Logon ID:                               0x3e7

Logon Type:                                          3

Account For Which Logon Failed:

                Security ID:                            NULL SID

                Account Name:                     backup

                Account Domain:                 DOM

Failure Information:

                Failure Reason:                      Account locked out.

                Status:                                    0xc0000234

                Sub Status:                             0x0

Process Information:

                Caller Process ID: 0x39c

                Caller Process Name:            C:\Windows\System32\lsass.exe

Network Information:

                Workstation Name:              ADCSRV

                Source Network Address:    172.16.10.100

                Source Port:                           45442

Detailed Authentication Information:

                Logon Process:                     Advapi

                Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

                Transited Services:                -

                Package Name (NTLM only):              -

                Key Length:                           0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.

                - Transited services indicate which intermediate services have participated in this logon request.

                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested

Tuesday, April 29, 2014 6:34 AM

Answers

0

Sign in to vote
Hi Prasoon,

The similar concern which has been resolved with good clarification, I find at below link. Please checkout if you find this helpful : http://social.technet.microsoft.com/Forums/windowsserver/en-US/1514c166-850c-4e3e-a019-108f84650661/ad-account-lockouts?forum=winserverDS#2ae56e52-b87f-41cf-939c-b49dbcb609f9

Meanwhile, you can also give a try to this proficient application which is capable to find the root-cause of account lockout issues in AD and resolve it promptly by ensuring a secure and risk-free AD environment.
- Marked as answer by Vivian_Wang Monday, May 12, 2014 3:14 AM
Wednesday, April 30, 2014 10:58 AM

All replies

1

Sign in to vote
Hi,

The free tools from Micosoft - Account Lockout and Management tools helps you in troubleshooting locked out accounts.
LOCKOUTSTATUS.EXE utility in this package help you find the DC (Domain Controller) name where that account is locked out.
EVENTCOMBMT.EXE utility is a builtin search for searching for ACCOUNT LOCKED OUT events.

Checkout the below link for account lockout troubleshooting using native tools (Account Lockout and Management tools, PoweShell, and Repadmin)
http://social.technet.microsoft.com/wiki/contents/articles/4585.account-locked-out-troubleshooting-eventcombmt.aspx

Also JiJi Account Lockout tool from JiJi Technologies has got nice features in analyzing the account lockout events.
Regards,
Gopi
JiJi Technologies
- Edited by Gopi-JiJiTechnologies Tuesday, April 29, 2014 9:38 AM
- Proposed as answer by bshwjt Tuesday, April 29, 2014 10:42 AM
- Unproposed as answer by pbbergs [MSFT] Tuesday, April 29, 2014 12:10 PM
Tuesday, April 29, 2014 9:37 AM
1

Sign in to vote
Hello,

You need to check the computer who holds the 172.16.10.100 IP address for suspicious criteria. Account Lockout problems arise from so many reasons but mainly wrong password. Please check the below steps in order to find what is behind the problem:

Is there Mapped Drives with wrong password on the PC?
Is there any services in services.msc which starts with the account?
Are there old passwords stored in Credential Manager of windows?
Is there conficker worm in your environment?

The mentioned notes were the most important ones which you should check. In order to find more information about lockout problems and why they happens refer to below link:

Mahdi Tehrani | Tracking Account Lockouts

Regards.

Mahdi Tehrani | | www.mahditehrani.ir
Please click on Propose As Answer or to mark this post as and helpful for other people.
This posting is provided AS-IS with no warranties, and confers no rights.

How to query members of 'Local Administrators' group in all computers?
- Proposed as answer by bshwjt Tuesday, April 29, 2014 10:42 AM
Tuesday, April 29, 2014 10:39 AM

Also you can use the Powershell Script.

Import-Module ActiveDirectory
Invoke-Command -ComputerName (
Get-ADDomainController -Filter * |
select -expand name
){
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740
➥ and TimeCreated[timediff(@SystemTime) <= 7200000]]
➥ and EventData[Data[@Name='TargetUserName']='afuller']]" |
select TimeCreated,
@{Label='User Name';Expression={$_.Properties[0].Value}},
@{Label='Client Name';Expression={$_.Properties[1].Value}}
}

Auditing Active Directory user-account lockouts via the PDC emulator

Import-Module ActiveDirectory
Invoke-Command -ComputerName (
Get-ADDomain |
select -expand PDCEmulator
){
Get-WinEvent -Logname security -FilterXPath "*[System[EventID=4740
➥ and TimeCreated[timediff(@SystemTime) <= 7200000]]
➥ and EventData[Data[@Name='TargetUserName']='afuller']]" |
select TimeCreated,
@{Label='User Name';Expression={$_.Properties[0].Value}},
@{Label='Client Name';Expression={$_.Properties[1].Value}}
}

Taken the Script from Powershell Deep Dives.Jeffery Hicks Richard Siddaway Oisín Grehan Aleksandar Nikolic ́

Regards~Biswajit

Disclaimer: This posting is provided & with no warranties or guarantees and confers no rights.

MCP 2003,MCSA 2003, MCSA:M 2003, CCNA, MCTS, Enterprise Admin

MY BLOG

Domain Controllers inventory-Quest Powershell

Generate Report for Bulk Servers-LastBootUpTime,SerialNumber,InstallDate

Generate a Report for installed Hotfix for Bulk Servers

Proposed as answer by Mahdi Tehrani Wednesday, April 30, 2014 2:38 AM

Tuesday, April 29, 2014 10:47 AM

0

Sign in to vote

yes this account using CA backup service account , not only this account printer service account also locking

Tuesday, April 29, 2014 3:14 PM
0

Sign in to vote

Hi,

As others mentioned, I think you could try to troubleshoot the account lockout, and find the reason:

http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Regards.

If you have any feedback on our support, please click here
Vivian Wang

Wednesday, April 30, 2014 2:52 AM
0

Sign in to vote

Hi,

Any update about the issue?

Regards.

Vivian Wang

Tuesday, May 6, 2014 7:17 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

account lockout

Question

Answers

All replies