User account locked out without explanation

microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late! 

Subject Author Date User account locked out without explanation Brad 01-25-2010  Re: User account locked out without explanation Meinolf Weber [... 01-25-2010

Posted by Brad on January 25, 2010, 10:23 am Please log in for more thread options We're running a W2K3 Active Directory environment. We have a problem with user's AD accounts getting locked out unexpectedly. An examination of the domain controller security event logs shows nothing like any bad password attempts leading up to the lockout. We did find a series of LSASRV events in the local PC System log, Event IDs 40961, and 40961, and in the Application log there were two USERENV events, IDs 1006 and 1030, coinciding exactly with the time the accounts get locked out. Google and Bing searches were not fruitful. I would appreciate any suggestions on where to look for information that would shed light on what relation, if any, these events have on the account getting locked out. Posted by Meinolf Weber [MVP-DS] on January 25, 2010, 4:22 pm Please log in for more thread options Hello Brad, Start with account lockout tools and also check for conficker, see the following articles: http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en http://support.microsoft.com/kb/109626 http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html http://support.microsoft.com/kb/962007 Best regards Meinolf Weber Disclaimer: This posting is provided "AS IS" with no warranties, and confers no rights. ** Please do NOT email, only reply to Newsgroups ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm show/hide quoted text > We're running a W2K3 Active Directory environment. We have a problem > with user's AD accounts getting locked out unexpectedly. An > examination of the domain controller security event logs shows nothing > like any bad password attempts leading up to the lockout. We did find > a series of LSASRV events in the local PC System log, Event IDs 40961, > and 40961, and in the Application log there were two USERENV events, > IDs 1006 and 1030, coinciding exactly with the time the accounts get > locked out. Google and Bing searches were not fruitful. I would > appreciate any suggestions on where to look for information that would > shed light on what relation, if any, these events have on the account > getting locked out. > Similar Threads Posted User account regularly locked July 1, 2009, 9:28 am Account Being Locked Somewhere August 18, 2006, 6:50 am Account locked packets? March 15, 2008, 7:49 am Event id 672, 675, 680 - Account getting locked out April 21, 2009, 1:51 pm 2003 Domain Controller event id when an account is locked ? January 3, 2007, 4:16 am User Account Created - 624 And User Account Enabled - 626 for Hel October 13, 2005, 1:56 pm Explanation of Anonymous Named Pipes Security Policy August 20, 2006, 9:28 pm how to use the user account and the computers account to ... March 9, 2007, 10:38 am NT4 user account recovery June 3, 2005, 6:29 am Unknown User Account or Spyware? September 11, 2005, 12:14 pm