I have a user that has been having his account locked out for the past few weeks now. Luckily he's not a heavy user since he's in maintenance and never really on his system. But I would still like to get it figured out because it is becoming an annoyance. His account will get locked out when he's not even logged in anywhere or in the building. I've checked everything I can think of and ran virus scans, etc. on his system and everything is clean. I read that a hung remote session is common, but he does not do that. Like I said, he barely uses his desktop as it is, let along remoting into another system for some reason. I enabled auditing and found when the account was getting locked and when it was denied, but they do not help me to find the source. I'm hoping someone here can help me read these files and point me in the right direction. Thanks in advance! Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 529 Date: 3/23/2011 Time: 5:56:55 PM User: NT AUTHORITY\SYSTEM Computer: XXXDC01 Description: Logon Failure: Reason: Unknown user name or bad password User Name: XXX Domain: XXX Logon Type: 3 Logon Process: CHAP Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: Caller User Name: XXXDC01$ Caller Domain: XXX Caller Logon ID: (0x0,0x3E7) Caller Process ID: 832 Transited Services: - Source Network Address: - Source Port: - Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 680 Date: 3/23/2011 Time: 5:57:55 PM User: NT AUTHORITY\SYSTEM Computer: XXXDC01 Description: Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Logon account: XXX Source Workstation: Error Code: 0xC0000234 Event Type: Failure Audit Event Source: Security Event Category: Logon/Logoff Event ID: 539 Date: 3/23/2011 Time: 5:57:55 PM User: NT AUTHORITY\SYSTEM Computer: XXXDC01 Description: Logon Failure: Reason: Account locked out User Name: XXX Domain: XXX Logon Type: 3 Logon Process: CHAP Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 Workstation Name: Caller User Name: XXXDC01$ Caller Domain: XXX Caller Logon ID: (0x0,0x3E7) Caller Process ID: 832 Transited Services: - Source Network Address: - Source Port: -

Check this out http://social.technet.microsoft.com/Forums/en-US/winserverManagement/thread/4f72c4b1-343c-459a-b431-de24ea2d5136/ Some of the common causes for account lock outs are Saved Browser Passwords, User Account used for running specific services, Saved Passwords on Network Printers, Cached passwords on Terminal Server sessions etc...Thanks, Santosh (MCTS W2K8 AD and SCCM) To Infinity and Beyond

start with account lockout tools and also check for Conficker Virus: http://www.microsoft.com/downloads/en/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html http://support.microsoft.com/kb/109626 Conficker: http://support.microsoft.com/kb/962007http://www.virmansec.com/blogs/skhairuddin

“Unknown user name or bad password” Maybe a silly question but is he really using the correct password? Did he change the password recently? I hope it is replicated to all DCs. Make sure he doesn’t have an open session from another workstation using old password. Close all his sessions and try again You can use account lockout tools identify lockout issues. Since it is happening only on one account I would say just find out his open session details first. Santhosh Sivarajan | MCTS, MCSE (W2K3/W2K/NT4), MCSA (W2K3/W2K/MSG), CCNA, Network+ Houston, TX Blogs - http://blogs.sivarajan.com/ Articles - http://www.sivarajan.com/publications.html Twitter: @santhosh_sivara - http://twitter.com/santhosh_sivara This posting is provided AS IS with no warranties, and confers no rights.