Hi,I'm suffering an accountlock problem with my account in the AD. I'm an admin.I try to identify which server or desktop cause this, but I'm not able to identify the source of the problem.I have checked all the computers where I'm generaly connected to validate that no services or schedules run under my account.And apparently everything is correct... but for sure there is a process causing the problem.My network use some SQL Servers, MOSS servers etc... so a bunch of different applications.The problem starts after I change my password (and its not the first time I'm doing this), so I rollback to my previous password but the problem still active.Using the lockoutstatus tool, I can see this event:06/26 15:43:45 [CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlags: 1761 (may be legitimate for 0xc0000234)The event log of my DC contains some event like this, and then the account is locked:675,AUDIT FAILURE,Security,Fri Jun 26 15:43:45 2009,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name:<MY USERNAME> User ID: %{S-1-5-21-1417001333-1682526488-839522115-27978} Service Name: krbtgt/<domain> Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 127.0.0.1 The client address logged 127.0.0.1 is not a valid one. (so I don't know from where the problem is generated)I'm lost, I'm not able to identify the problem.any help and guide is appreciate.

This is always a fun task to nail down. You will soft of feel like Sherlock Holmes for a minute or two. : ) Think back, do you have any services, applications, scripts, scheduled tasks. that are using your ID. Scour the sercurity event logs,you most likely should findEvent id 529 and/or 539. Event ID: 529 Type: Failure AuditDescription: Logon Failure: Reason: Unknown user name or bad password User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6Event ID: 539 Type: Failure AuditDescription: Logon Failure: Reason: Account locked out User Name: %1 Domain: %2 Logon Type: %3 Logon Process: %4 Authentication Package: %5 Workstation Name: %6http://support.microsoft.com/kb/174074

We had the same problem, it was kind of stupid.We made a mapping to a network drive on our server, where script and software ar elocated, and check the reconnect at logon option (persistent). We gave our credentails our admin keys to logon to that network drive. Then a month later we need to change our password. Once we had changed the password of our admin keys, we were getting locked out. Because of the old credentials in the mapping to a network drive. I did also some investigation from which domain controller we were locked out. I used the Account Lockout and Management Tools for that. It's very handy when you are in a large enviroment and you want more information. Here you will also find a nice article on Technet how to troubleshoot this kind of challenges Troubleshooting Account Lockout Certifications: MCSA 2003 MCSE 2003

Hi, Thank you for your post. The client address 127.0.0.1 indicates that the incorrect credential was sent from the computer itself. You can refer to the common troubleshooting steps in the Troubleshooting Account Lockout article (http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx). If it does not help, please enable auditing at the domain level for the following events: Account Logon Events Failure Account Management Success Logon Events Failure And then, collect MPSReport on all domain controllers in the domain when the issue occurs:1. Download MPSReport from the following linkhttp://download.microsoft.com/download/b/b/1/bb139fcb-4aac-4fe5-a579-30b0bd915706/MPSRPT_DirSvc.EXE2. Double-click the executable to launch the report gathering tool on the domain controllers.3. After the tool finishes gathering the information, you will a .cab file in C:\WINDOWS\MPSReports\DirSvc\cab folder. Please upload the .cab file to the following space: https://sftasia.one.microsoft.com/choosetransfer.aspx?key=ffacfff0-416d-44e8-b642-1e4d003cf0c7 Password: Q3ttnOks]l![)7G Note: Please also let me know the account name of user account. I look forward to your response.

thanks for your comments.unfortunately, I still not able to identify which computer cause the problem.I haverestarted all the computers (including the DC), used the account lockout tools, (failed logon already activated) etc...but nothing more!now the account is locked every hour at XXh 43 min.so there is a job runing every hour anywhere. but I have not found it!"The client address 127.0.0.1 indicates that the incorrect credential was sent from the computer itself"; does this means the computer is the DC himself? (its where I'm seeing the event log)or "computer itself" = the computer which cause the issue? (so the computer I'm not able to found)I'll prepare the MPSReport and send it to you.Jerome.

Hi, Thank you for your reply. Yes, the IP address means that the computer is the DC himself. I suggest that we check the following settings on the DC: Stored user names and passwords retain redundant credentials: If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. Scheduled tasks: Scheduled processes may be configured to using this user account with an incorrect password. Persistent drive mappings: Persistent drives may have been established with this user account with an incorrect password. For more information, please check the following link: http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx In addition, I notice that DHCP service is running on this computer. Please perform the following steps to check if the DHCP server using this users credential to registry DNS records: 1. Open DHCP management console. 2. Right click the server and select Properties. 3. Switch to the tab Advanced and click Credentials for DNS dynamic update registration. If the user is being used, please correct the password and restart the service to check if the issue goes away. If all of the settings have been checked but we are still not able to identify the culprit, please download and install Windows Logon Monitor on the DC: 1. Access the following space and download the Windows Logon Monitor.zip filehttps://sftasia.one.microsoft.com/choosetransfer.aspx?key=ffacfff0-416d-44e8-b642-1e4d003cf0c7 Password: Q3ttnOks]l![)7G 2. Log onto the DC with an Administrator account, unzip file. 3. Open Command Prompt, change to the folder where you have saved the Windows Logon Monitor setup files. 4. Type wlmsetup /setup , and then press ENTER. 5. Restart your computer to complete the Windows Logon Monitor setup process. 6. After the computer starts, please verify that the following registry entries are correct:Under the key HKLM\SYSTEM\CurrentControlSet\Control\LSA\WLMSSP DebugFlags (REG_DWORD) 0x00000000 ProcessFilter (REG_MULTI_SZ) [blank] UserFilter (REG_MULTI_SZ) [blank] LogAllProcess (REG_DWORD) 1 LogAllUser (REG_DWORD) 1 Installed (REG_DWORD) 1 When the issue occurs, you should see some WLMSSP events logged in the Event Viewer. Please collect the MPSReport again and upload to the space. https://sftasia.one.microsoft.com/choosetransfer.aspx?key=ffacfff0-416d-44e8-b642-1e4d003cf0c7 Password: Q3ttnOks]l![)7G I look forward to your response.

Hi, Just want to check the current status of the issue. Please feel free to respond here if I can assist further. Have a nice day.

thanks a lot !!!!the DHCP is the answer!!!My account is used here!!!I do not remember this.I'll check if this is the final solution, I hope so.Jerome.

Glad to hear that. Please feel free to let me know if you need further assistance. Have a nice day.