account lockout struggle
Hello,
I'm struggling to fix a chronic account lockout issue. Something on another computer on our network is trying to login with my credentials. It tries to login as me every second or so and then takes a break for 10 minutes and starts again.
I can see the computer that's locking me out. It's not running anything that should be logging in as me. I logged into it's credential manager and i'm not listed anywhere. It's a windows 7 32bit system. Any ideas? thank you!
The server 2008 domain controller reports this account audit failure over and over.
Event ID 4771
Kerberos pre-authentication failed.
Account Information:
Security ID: domain\myusername
Account Name: myusername
Service Information:
Service Name: krbtgt/domain
Network Information:
Client Address: ::ffff:10.2.1.76
Client Port: 58217
Additional Information:
Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
Certificate Information:
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:
Certificate information is only provided if a certificate was used for pre-authentication.
Pre-authentication types, ticket options and failure codes are defined in RFC 4120.
If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present.
August 10th, 2011 3:04am
Reboot into safe mode and run antivirus/malware scans. Ports in that high of range are typically private/dynamic ports and are often used by malware.If you found this post helpful, please give it a "Helpful" vote. If it answered your question, remember to mark it as an "Answer".
Rich Prescott | MCITP, MCTS, MCP
Blog | Twitter:
@Arposh |
Powershell Client System Administration tool
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2011 3:19am
This usually happens when your password changes and something on the locking computer is still using the old credentials. Double check that nothing is running under your account on the locking computer in the following areas:
Services Scheduled tasks Network drive mappings Remote desktop sessions Startup scripts
It looks like there's kerberos authentication involved there, so you might try enabling kerberos logging. This can be a bit complex, but I have found a related forum post that can help with this process:
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/92369c2f-44f1-412c-9a8e-fdc1ef218cfd/
August 10th, 2011 3:23am
Yes. This happened right after a password change, but I swear I never logged in in any way to this computer or
set any services to use my "user" account. I set a mapped network drive, but I used my administrative user account which is the only account that I use for admin purposes because it's the only one that actually has access to anything. The user account that's
being locked doesn't have elevated credentials so really couldn't be used to run anything on a client. I'm completely baffled here.
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2011 6:20am
Hello,
first of all identify the source computer. Once done, go on it and check if there is a service / application that is running under a wrong password of this user.
Check also that it is not infected by viruses.
Have a look to Paul's article: http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
This
posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
Microsoft Student
Partner 2010 / 2011
Microsoft Certified Professional
Microsoft Certified Systems Administrator:
Security
Microsoft Certified Systems Engineer:
Security
Microsoft Certified Technology Specialist:
Windows Server 2008 Active Directory, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Network Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows Server 2008 Applications Infrastructure, Configuration
Microsoft Certified Technology Specialist:
Windows 7, Configuring
Microsoft Certified IT Professional: Enterprise
Administrator
Microsoft Certified IT Professional: Server Administrator
August 10th, 2011 9:17am
Hi,
It seems that there are viruses in the computers which always lock your account out. Some services or applications are trying your password. Please check whether
there are some services and applications under your session.
I have included a link here:
Virus alert about the Win32/Conficker worm
http://support.microsoft.com/kb/962007
Best Regards,
Yan Li
Free Windows Admin Tool Kit Click here and download it now
August 10th, 2011 11:31am