Setup Mainly Windows 7 and some 2008 R2 machines with a 2003 Domain controller. Issue I, get frequent account lockouts. Two weeks ago i decided to rebuild by PC image to remove the possibility of some artifact on my PC contributing to this. I did the normal things before this of ensuring no mapped drives with passwords and looking at the secure store. My account lockouts though lower are still happening. More Info I don't have access to the domain controller due to IT policies. IT are reluctant to spend any time on the issue for one person. I was the one that created the images that got cloned onto our development laptops and desktops (using Ghost). I believed at the time the images did not have traces of me... Request I have a list of machines which are using my credentials from a DC event dump done 2 days after i re-imaged my desktop. >> is their something i can install / enable on the client side, to determine why myself or other laptops (in particular) are using my account ? Thanks!! Previous thread http://social.technet.microsoft.com/Forums/en-US/winserversecurity/thread/25209cdf-40e2-4756-a41a-51702ee48d36 IP Event Codes myself 673 0x12; 675 0x12, 0x18, 0x19; 680 MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 672 0x17 xx.yyy.16.183 675 0x12 0x18 xx.yyy.16.206 675 0x18 0x19 xx.yyy.16.39 675 0x19 ; 672 0x17 xx.yyy.16.12 675 0x19 xx.yyy.17.166 675 0x12 xx.yyy.16.234 675 0x12, 0x18 & 0x19 xx.yyy.17.19 675 0x18 & 0x19 xx.yyy.17.19 675 0x18 & 0x19 xx.yyy.17.70 675 0x18 & 0x19 xx.yyy.18.170 672 0x17

Hi Greg, It sounds like after the Ghost image is applied it is using your account details to try and either logon to the laptop/pc or join the domain with them automatically. Either way, this will lock your account if you have changed your password since the image was built. When you created the image, was it domain connected at the time? Best practice is to create images with the local Administrator account prior to joining to the domain. This avoids any unnecessary login attempts that will lock out your account. Important: Dont forget to update the SID of the new pc's as the image will continue to use the original SID and can cause issues when trying to join a domain. Hope this helps

Angelo I appreciate the answer and it makes sense, but on the issue of client side logging ?

Greg, Have you looked at Account Lockout and Management Tools? Also, you can enable advanced security logging on the Win7 boxes by GPO. http://social.technet.microsoft.com/wiki/contents/articles/advanced-security-auditing-in-windows-7-and-windows-server-2008-r2.aspx

In my case i am not interested in polocies, rather what is happening. The management tools by in large need DC access however i found the "Lockoutstatus.exe" tool does work client side and shows the time of the current lockout, but does not identify why this happened. I have marked this as answered as i think i won't be able to get much further on the client side. thanks Greg

Greg, Part of ALMT is "Alockout.dll" which can tell you which program is sending the bad creds locally. http://jagbarcelo.blogspot.co.uk/2006/08/account-lockout-and-management-tools.html zxx