We have had a number of Security logs from one of our AD server for an admin account failed logon due to bad password.

I have spoken to the user and he hasn't changed his password (usually find these logs occur when someone leaves themselves logged on and change their password)

Their account does not seem to be getting locked out either, even though we have lockout threshold

End user uses Windows 7 machine and our AD server is windows Windows 2008 R2

the logs are as follows.

<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>

<System>

<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>

<EventID>4776

</EventID>

<Version>0

</Version>

<Level>Information

</Level>

<Task>Credential Validation

</Task>

<Opcode>Info

</Opcode>

<Keywords>Audit Failure

</Keywords>

<TimeCreated SystemTime='2015-08-26T09:33:47.998764000Z'/>

<EventRecordID>2123551649

</EventRecordID>

<Correlation/>

<Execution ProcessID='556' ThreadID='6524'/>

<Channel>Security

</Channel>

<Computer>ADServer.ourdomain.com</Computer>

<Security/>

</System>

<EventData>The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Useradminaccount
Source Workstation: (\\) workstationname
Error Code: 0xc000006a</EventData></Event>

I suppose the question is what could be causing this? User hasn't changed password recently, they can still use their admin account as it isn't getting locked out.

Thanks

Hi,

Checkout the below link for account lockout troubleshooting using native tools (Account Lockout and Management tools, PoweShell, and Repadmin)
http://social.technet.microsoft.com/wiki/contents/articles/4585.account-locked-out-troubleshooting-eventcombmt.aspx

Some of the possible causes for accout lockout:
- Mapped Drives with expired password.
- Services in "Services" console with expired password.
- Old passwords stored in Credential Manager.
- Check for conficker worm in your environment.

If you are interested in evaluating third party tools - Account Lockout Tool from JiJi Technologies helps to analyze the user account lockouts.

Hi,

thanks for the reply.

The account lockout isn't really the issue here has the persons account isn't locked out. Just trying to figure out why there are numerous logs for User Logon Failure : Bad Password; where it doesn't appear to be a bad password.

My first thought, as you have suggested, is a mapped drive with expired password.

Hi,

From the current description, it seems is the known issue and please install the following hotfix then monitor the issue again.

Local user accounts incorrectly trigger domain account logon auditing events when they view history of scheduled tasks in Windows Vista, in Windows Server 2008, in Windows 7 or in Windows Server 2008 R2

https://support.microsoft.com/en-us/kb/2549079

Im glad to be of help to you!