We have had a number of Security logs from one of our AD server for an admin account failed logon due to bad password.
I have spoken to the user and he hasn't changed his password (usually find these logs occur when someone leaves themselves logged on and change their password)
Their account does not seem to be getting locked out either, even though we have lockout threshold
End user uses Windows 7 machine and our AD server is windows Windows 2008 R2
the logs are as follows.
<Event xmlns='http://schemas.microsoft.com/win/2004/08/events/event'>
<System>
<Provider Name='Microsoft-Windows-Security-Auditing' Guid='{54849625-5478-4994-a5ba-3e3b0328c30d}'/>
<EventID>4776
</EventID>
<Version>0
</Version>
<Level>Information
</Level>
<Task>Credential Validation
</Task>
<Opcode>Info
</Opcode>
<Keywords>Audit Failure
</Keywords>
<TimeCreated SystemTime='2015-08-26T09:33:47.998764000Z'/>
<EventRecordID>2123551649
</EventRecordID>
<Correlation/>
<Execution ProcessID='556' ThreadID='6524'/>
<Channel>Security
</Channel>
<Computer>ADServer.ourdomain.com</Computer>
<Security/>
</System>
<EventData>The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: Useradminaccount
Source Workstation: (\\) workstationname
Error Code: 0xc000006a</EventData></Event>
I suppose the question is what could be causing this? User hasn't changed password recently, they can still use their admin account as it isn't getting locked out.
Thanks