none
Account getting locked every day, 5 bad password attempts RRS feed

  • Question

  • I am facing an issue with a user which is getting his Account locked out every day, we have tried all the possible troubleshooting,
    network drives, drivers, applications, mobile device, etc ,  we even built a new machine and it same is happening. Everyday there are 5 incorrect password attempts. This is happening even if the machine is off.
    The DC is not showing the source, it is just marking it as \\Localhost: , this is happening to random hours, not at the same hours everyday

    on the local machine I found these events:
    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: PKC000122436005$
    Account Domain: ADS
    Logon ID: 0x3E7

    Logon Type: 7

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Konrad Jablonski
    Account Domain: ADS

    Failure Information:
    Failure Reason: Account locked out.
    Status: 0xC0000234
    Sub Status: 0x0

    Process Information:
    Caller Process ID: 0x3ae8
    Caller Process Name: C:\Windows\System32\winlogon.exe

    Network Information:
    Workstation Name: PKC000122436005
    Source Network Address: 127.0.0.1
    Source Port: 0

    Detailed Authentication Information:
    Logon Process: User32 
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.




    -----------------------------------


    An account failed to log on.

    Subject:
    Security ID: SYSTEM
    Account Name: PKC000122436005$
    Account Domain: ADS
    Logon ID: 0x3E7

    Logon Type: 2

    Account For Which Logon Failed:
    Security ID: NULL SID
    Account Name: Konrad Jablonski
    Account Domain: ADS

    Failure Information:
    Failure Reason: Account locked out.
    Status: 0xC0000234
    Sub Status: 0x0

    Process Information:
    Caller Process ID: 0x27dc
    Caller Process Name: C:\Windows\System32\LogonUI.exe

    Network Information:
    Workstation Name: PKC000122436005
    Source Network Address: -
    Source Port: -

    Detailed Authentication Information:
    Logon Process: Advapi  
    Authentication Package: Negotiate
    Transited Services: -
    Package Name (NTLM only): -
    Key Length: 0

    This event is generated when a logon request fails. It is generated on the computer where access was attempted.

    The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

    The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

    The Process Information fields indicate which account and process on the system requested the logon.

    The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

    The authentication information fields provide detailed information about this specific logon request.
    - Transited services indicate which intermediate services have participated in this logon request.
    - Package name indicates which sub-protocol was used among the NTLM protocols.
    - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
    Please advise.
    Wednesday, March 16, 2016 1:42 PM

Answers

  • Hi,

    Thanks for your reply.

    In my opinion, we should focus on Logon Type 2 and  Logon Type 7 which were mentioned in the Event. This information could exclude most possible causes.

    Logon Type 2 – Interactive

    This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such.

    Logon Type 7 – Unlock
    Hopefully the workstations on your network automatically start a password protected screen saver when a user leaves their computer so that unattended workstations are protected from malicious use. When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Failed logons with logon type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.

    As for as I know there are two possibilities for logon failure with Logon type 7.
    1. In most cases, this logon type occurs when a user unlock the password protected workstation screen, Windows treats this logon as logon type 7. If your entered valid password, the event 4624 logged in workstation event log with logon type 7 and if you entered wrong password, the event 4625 will be logged with logon type 7.
    2. There may be a possibility to get account locked by Cached Active Directory Password.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 18, 2016 6:55 AM
    Moderator

All replies

  • Hi,

    Thanks for your post.

    From the error description, it most likely services performing automated tasks or scheduled tasks executing.

    Also conficker Virus can be a reason:

    http://support.microsoft.com/kb/962007

    If the above doesn't help, you could use the Account lockout tools:

    http://www.microsoft.com/downloads/en/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

    http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

    http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, March 17, 2016 7:47 AM
    Moderator
  • Hello Alvin

    Thanks for the suggestion, but I have already tried all that of the lockout tools, we ran full virus scan to the machine with two different tools and no luck yet, we even gave a completely new machine and kicked the old one out of the domain. The weird thing is that it happens even if the machine is offline and we cant get the IP address that is trying to authenticate, in our DC we normally can get the machine name, IP address and all the necessary information to get the source but with this case we just get as the source: \\localhost:

    I would appreciate if you have any other idea

    Thursday, March 17, 2016 8:20 AM
  • Hi,

    Thanks for your reply.

    In my opinion, we should focus on Logon Type 2 and  Logon Type 7 which were mentioned in the Event. This information could exclude most possible causes.

    Logon Type 2 – Interactive

    This is what occurs to you first when you think of logons, that is, a logon at the console of a computer. You’ll see type 2 logons when a user attempts to log on at the local keyboard and screen whether with a domain account or a local account from the computer’s local SAM. To tell the difference between an attempt to logon with a local or domain account look for the domain or computer name preceding the user name in the event’s description. Don’t forget that logon’s through an KVM over IP component or a server’s proprietary “lights-out” remote KVM feature are still interactive logons from the standpoint of Windows and will be logged as such.

    Logon Type 7 – Unlock
    Hopefully the workstations on your network automatically start a password protected screen saver when a user leaves their computer so that unattended workstations are protected from malicious use. When a user returns to their workstation and unlocks the console, Windows treats this as a logon and logs the appropriate Logon/Logoff event but in this case the logon type will be 7 – identifying the event as a workstation unlock attempt. Failed logons with logon type 7 indicate either a user entering the wrong password or a malicious user trying to unlock the computer by guessing the password.

    As for as I know there are two possibilities for logon failure with Logon type 7.
    1. In most cases, this logon type occurs when a user unlock the password protected workstation screen, Windows treats this logon as logon type 7. If your entered valid password, the event 4624 logged in workstation event log with logon type 7 and if you entered wrong password, the event 4625 will be logged with logon type 7.
    2. There may be a possibility to get account locked by Cached Active Directory Password.

    Best Regards,

    Alvin Wang


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, March 18, 2016 6:55 AM
    Moderator