Hello, We are starting to roll out Win7. We implemented 5 machines so far and 2 of them have a problem where the user's domain account is constantly getting locked (usually several times each day but at random intervals). The other 3 machines are Ok, but we see errors in the domain controller event log for those also. The event log entry is at the end of the post (I've redacted some items). Note that we've tried the following: Removing/re-adding to the domain, running Sysprep to generate a new SID, Disabling Java updater, removing all network drive and network printer mappings, turning off Kerberos pre-authenticaion for the user account. Any suggestions would be appreciated. Event Type: Failure Audit Event Source: Security Event Category: Account Logon Event ID: 675 Date: 5/15/2012 Time: 3:05:16 PM User: NT AUTHORITY\SYSTEM Computer: (Domain Controler's hostname) Description: Pre-authentication failed: User Name: Redacted User ID: Domain\Redacted Service Name: krbtgt/PROGENICS.COM Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.18.133 For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Hi, Are you in the Windows Server 2003 domain? If so, Windows Vista and later Windows Operating System supports the use of AES 128 and AES 256 encryption with the Kerberos authentication protocol. However, AES encryption is not supported in Windows Server 2003. When Windows 7 client sends Kerberos authentication request to DC, it uses AES to protect the authentication message. However, as Windows Server 2003 DC does not support AES, it logs a 675 event and replies back with the encryption types that it supports. The Windows 7 client then uses highest supported encryption type that the Domain Controller supports (RC4-HMAC) and successfully be able to supply Pre-Authentication. To get rid of the 675 error, you can force the Windows 7 computers to use the previous authentication method. To do so, please create the following registry value on Windows 7 computers: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters Name: DefaultEncryptionType Type: REG_DWORD Value: 23 (dec) or 0x17 (hex) And then, please reboot the computers. Regards, Sabrina TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. Sabrina TechNet Community Support

Yes we are using a Windows 2003 domain. Ok thanks will try that.

Hello, Another guy in our department had tried that. He also tried HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Name: LMCompatibilityLevel Value: 1 Niether of these resolved the problem. Any other suggestions? Note that the Forest is still in Windows 2000 mode so we're thinking that could be contributing to the issue. Thanks...

Hi, Did you install the following hotfix? Event ID 677 and event ID 673 audit failure messages are repeatedly logged to the Security log of domain controllers that are running Windows 2000 and Windows Server 2003 Regards, Sabrina TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.Sabrina TechNet Community Support

Please check if the steps in the following article help: Troubleshooting Account Lockout Also, as this issue is more related with your domain configuration, in order to get the answer effectively, it is recommended to submit a new question in Windows Server Forum. The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding. Regards, Sabrina TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. Sabrina TechNet Community Support

That hotfix only surpresses the Event Log entry on the domain controller, it does not appear to have anything to do with the domain accounts locking.

Please check if the steps in the following article help: Troubleshooting Account Lockout Also, as this issue is more related with your domain configuration, in order to get the answer effectively, it is recommended to submit a new question in Windows Server Forum. The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding. Regards, Sabrina TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here. Sabrina TechNet Community Support

Hi Sabrina, We already tried all of the steps in that article. Also, you mention that this is a domain problem, but this issue only occurs on Windows 7 machines. None of our XP,Server 2003, or Server 2008 member servers have this issue. Please provide other suggestions. Thanks.