none
Urgent!!! Account keeps locking out RRS feed

  • Question

  • Hi,

    We are using AD 2008 on Windows server 2008. One user's account keeps locking out. I tried to turned off his computer and cell phone, but still no luck. The user is unable to work now.

    Could this problem be caused by a hacker who is attempting to log in his email by guessing his password? If so, how to solve it?

    The 2 error messages below in Event Viewer.

    An account failed to log on.

    Subject:
        Security ID:        NULL SID
        Account Name:        -
        Account Domain:        -
        Logon ID:        0x0

    Logon Type:            3

    Account For Which Logon Failed:
        Security ID:        NULL SID
        Account Name:        username
        Account Domain:        domainName

    Failure Information:
        Failure Reason:        Account locked out.
        Status:            0xc0000234
        Sub Status:        0x0

    Process Information:
        Caller Process ID:    0x0
        Caller Process Name:    -

    Network Information:
        Workstation Name:    USER-HP
        Source Network Address:    192.168.1.68
        Source Port:        63029

    Detailed Authentication Information:
        Logon Process:        NtLmSsp
        Authentication Package:    NTLM
        Transited Services:    -
        Package Name (NTLM only):    -
        Key Length:        0
     ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    The domain controller attempted to validate the credentials for an account.

    Authentication Package:    MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
    Logon Account:    username
    Source Workstation:    USER-HP
    Error Code:    0xc0000234

    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

    Do those messages mean the attack is from workstation "USER-HP" (IP 192.168.1.68)? I don't know which workstation this is, how can I find out?

    Please advise!

    Any help will be highly appreciated!

    Thanks in advance!


    Grace

    Friday, May 15, 2015 1:56 AM

Answers

  • Hi,

    Check the on machine (USER-HP" IP 192.168.1.68 ) Printers or drivers or Map drive with old credential. Disconnect if any reboot the computer then try to map again.

    • Marked as answer by graceyin39 Monday, May 18, 2015 6:32 PM
    Friday, May 15, 2015 10:23 AM

  • Do those messages mean the attack is from workstation "USER-HP" (IP 192.168.1.68)? I don't know which workstation this is, how can I find out?


    Ask you network team to check on the switch that IP they should be able to see at which port it's plugged in and from there find the location of the device

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    • Marked as answer by graceyin39 Monday, May 18, 2015 6:32 PM
    Friday, May 15, 2015 10:28 AM

All replies

  • Hi,

    Use process explorer or other tool to find out the process that might be trying to authenticate the user with a wrong password.

    Hope it helps.

    Regards,

    Calin

    Friday, May 15, 2015 9:18 AM
  • Hi,

    Check the on machine (USER-HP" IP 192.168.1.68 ) Printers or drivers or Map drive with old credential. Disconnect if any reboot the computer then try to map again.

    • Marked as answer by graceyin39 Monday, May 18, 2015 6:32 PM
    Friday, May 15, 2015 10:23 AM

  • Do those messages mean the attack is from workstation "USER-HP" (IP 192.168.1.68)? I don't know which workstation this is, how can I find out?


    Ask you network team to check on the switch that IP they should be able to see at which port it's plugged in and from there find the location of the device

    This post is provided AS IS with no warranties or guarantees, and confers no rights.
    ~~~
    Questo post non fornisce garanzie e non conferisce diritti

    • Marked as answer by graceyin39 Monday, May 18, 2015 6:32 PM
    Friday, May 15, 2015 10:28 AM
  • Hi 

    Create a short  shortcut on user system with below and clear all cached password

    "rundll32.exe keymgr.dll, KRShowKeyMgr"

    Regards,

    Shamal

    Friday, May 15, 2015 10:42 AM
  • You could search for the computer in Active Directory. If your computers are placed in OUs based on location or business operations, you might be able to see where that computer is situated. Of course, if you have thousands of computers in the "Computer" container (that's not even a OU), my suggestion may not help much.

    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Saturday, May 16, 2015 8:43 PM
  • And as I mentioned in another security discussion, if the lockout failure is due to an attempt to connect to email (via OWA or Active Sync for example), you'd probably see a reference to the mail server and not HP-USER.


    Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you.

    Saturday, May 16, 2015 8:47 PM
  • Hi,

    Check the on machine (USER-HP" IP 192.168.1.68 ) Printers or drivers or Map drive with old credential. Disconnect if any reboot the computer then try to map again.

    You are right! The problem was caused by a map drive on machine USER-HP with old credential.

    I don't have access to the switch, instead I unplugged the cable from the until I saw time out reply for ping 192.168.1.68. thus I traced the machine and removed the account in credential manager. The user's account is no longer locked out after.

    Thanks for your help!


    Grace

    Monday, May 18, 2015 6:46 PM