Click here to get back home

Account Being Locked Somewhere
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
Account Being Locked Somewhere Andrew Hayes 08-18-2006
Posted by Andrew Hayes on August 18, 2006, 6:50 am
Please log in for more thread options
 One of my users, a developer, keeps getting his account locked out, but I
don't see anything in the domain controller security event log that helps me
figure out why it's being locked.

He changed his password this morning, so maybe he has a service that uses
his account.

Is there any way to track down where (machine or otherwise) his account is
being locked from?



Posted by Andrew Hayes on August 18, 2006, 6:53 am
Please log in for more thread options
 Looked at his Services list. None of them are set to use his account.

> One of my users, a developer, keeps getting his account locked out, but I
> don't see anything in the domain controller security event log that helps
> me figure out why it's being locked.
>
> He changed his password this morning, so maybe he has a service that uses
> his account.
>
> Is there any way to track down where (machine or otherwise) his account is
> being locked from?
>



Posted by Brian Delaney [MSFT] on August 18, 2006, 12:01 pm
Please log in for more thread options
Hi Andrew,

Make sure that on the DCs you have auditing turned on for logon events so
that you can see which machine is sending the bad passwords.

Once you have determined the machine there are a number of places on a
machine that store users passwords that could cause the password to lockout
automatically. Some are:

Services
Mapped Network Drives
Scheduled Tasks
Credential Manager (Start -> Run -> control keymgr.dll)
3rd Party applications
DHCP Server
Malware
etc.

Since he just changed his password this morning I would suspect that it is
somewhere he has saved it and just needs to update the password.

Hope this helps,

Brian Delaney
Microsoft Canada
--

This posting is provided "AS IS" with no warranties, and confers no rights.
--------------------
>Subject: Re: Account Being Locked Somewhere
>Date: Fri, 18 Aug 2006 19:53:54 +0900
>
>Looked at his Services list. None of them are set to use his account.
>
>> One of my users, a developer, keeps getting his account locked out, but
I
>> don't see anything in the domain controller security event log that
helps
>> me figure out why it's being locked.
>>
>> He changed his password this morning, so maybe he has a service that
uses
>> his account.
>>
>> Is there any way to track down where (machine or otherwise) his account
is
>> being locked from?
>>
>
>
>


Posted by Andrew Hayes on August 21, 2006, 9:38 pm
Please log in for more thread options
Hmm. Set "Audit Account Logon Events" and "Audit Logon Events" to
Success/Failure in the audit policy for both the Domain Security Policy and
Domain Controller Security Policy and I still can't see the event where the
account is getting locked.

We changed his password back to the old one but the account still gets
locked out. "Manage Passwords" is empty.

Has anyone ever seen the event message in the security log when an account
gets locked out? If so, what were your audit policy settings?

> Hi Andrew,
>
> Make sure that on the DCs you have auditing turned on for logon events so
> that you can see which machine is sending the bad passwords.
>
> Once you have determined the machine there are a number of places on a
> machine that store users passwords that could cause the password to
> lockout
> automatically. Some are:
>
> Services
> Mapped Network Drives
> Scheduled Tasks
> Credential Manager (Start -> Run -> control keymgr.dll)
> 3rd Party applications
> DHCP Server
> Malware
> etc.
>
> Since he just changed his password this morning I would suspect that it is
> somewhere he has saved it and just needs to update the password.
>
> Hope this helps,
>
> Brian Delaney
> Microsoft Canada
> --
>
> This posting is provided "AS IS" with no warranties, and confers no
> rights.
> --------------------
>>Subject: Re: Account Being Locked Somewhere
>>Date: Fri, 18 Aug 2006 19:53:54 +0900
>>
>>Looked at his Services list. None of them are set to use his account.
>>
>>> One of my users, a developer, keeps getting his account locked out, but
> I
>>> don't see anything in the domain controller security event log that
> helps
>>> me figure out why it's being locked.
>>>
>>> He changed his password this morning, so maybe he has a service that
> uses
>>> his account.
>>>
>>> Is there any way to track down where (machine or otherwise) his account
> is
>>> being locked from?
>>>
>>
>>
>>
>



Posted by Andrew Hayes on August 22, 2006, 5:40 am
Please log in for more thread options
Turned on all the auditing and waited for it to be locked. Saw this:

Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 8/22/2006
Time: 4:53:39 PM
User: NT AUTHORITY\SYSTEM
Computer: DOMAINCONTROLLER
Description:
User Account Locked Out:
Target Account Name: USER
Target Account ID: DOMAIN\USER
Caller Machine Name: DATABASESERVER
Caller User Name: DOMAINCONTROLLER$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x000)

It seems he had an old Remote Desktop Connection to the database server that
he had logged in with an old password. Rather than logging off, he had just
closed the window which kept the RDC session open. It must be occasionally
trying to connect using the supplied credentials for some reason.

Connected to the database server, ran Terminal Services Manager, and logged
him off.

Will see if that was the only culprit.



Similar ThreadsPosted
Account locked packets? March 15, 2008, 7:49 am
2003 Domain Controller event id when an account is locked ? January 3, 2007, 4:16 am
Locked Out! Despite Having The Right Password! September 24, 2007, 12:02 pm
how to use the user account and the computers account to ... March 9, 2007, 10:38 am
User Account Created - 624 And User Account Enabled - 626 for Hel October 13, 2005, 1:56 pm
Account Policies - NT January 19, 2006, 3:14 pm
Administrator account July 6, 2007, 12:43 pm
OS account report March 17, 2008, 12:42 am
NT4 user account recovery June 3, 2005, 6:29 am
services running under a certain account August 15, 2005, 9:19 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap