Hi there...One of the admin account is getting this message "The referenced account is currently locked out and may not be logged on to" every day frequently when logging in to Windows 7 / Server 2008. I also checked the account lockout...I didnt make any changes for a long time. This admin account was fine, without getting this message last week...but towards the end of the month, I reset the password for this account. It started to happen after that. Again today after that happened, I checked the account lockout policy in AD, its set the same as it was before...is there anyway we can stop that happening frequently everyday....pls let me know.VT

1. Are there any traces in Event logs? 2. Try to disable and enable this domain account in domain controller. Regards Milos

Hi, The issue can occur if you have mistyped the password several times and the system will block the account for logging on. In this case, I suggest checking the following settings: 1. Open Control Panel -> Administrative Tools -> Local Security Policy. 2. Click Security Settings -> Account Policies -> Account Lockout Policy. 3. Double-click Account lockout threshold, and type 0 to make the account will not lock out. 4. Click OK. Juke Chou TechNet Subscriber Support If you are TechNet Subscription user and have any feedback on our support quality, please send your feedbackhere.Juke Chou TechNet Community Support

Perhaps if W 7/W2K8 are part of domain, then there is alternative group policy setting(s). What is set locally in group policy may be disregarded in subsequent GPO settings according to LSDOU rule. Your problem is not common to the default setting. It is helpful for troubleshooting to know the domain configuration/GPO (resulting set of GPO). Regards Milos

Here is the event log entries, which is happening in the frequency of 9:03AM - 8:45AM - 8:38AM - 8:34AM - 8:03AM - 7:37AM (last 3 days since I changed the password) I am sure, its only for one admin ID and there was no changes made in Group Policy in AD (Yes, W7 & Win2K8 are part of the domain) and once I login, I checked the account in the AD, its not locked or disabled. Pls let me know any solutions. Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 5/4/2012 8:48:36 AM Event ID: 4625 Task Category: Account Lockout Level: Information Keywords: Audit Failure User: N/A Computer: server.domain.com Description: An account failed to log on. Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: NULL SID Account Name: admin1 Account Domain: domain Failure Information: Failure Reason: Account locked out. Status: 0xc0000234 Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: server Source Network Address: - Source Port: - Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" /> <EventID>4625</EventID> <Version>0</Version> <Level>0</Level> <Task>12546</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-05-04T14:48:36.387224800Z" /> <EventRecordID>5256027</EventRecordID> <Correlation /> <Execution ProcessID="568" ThreadID="23972" /> <Channel>Security</Channel> <Computer>server.domain.com</Computer> <Security /> </System> <EventData> <Data Name="SubjectUserSid">S-1-0-0</Data> <Data Name="SubjectUserName">-</Data> <Data Name="SubjectDomainName">-</Data> <Data Name="SubjectLogonId">0x0</Data> <Data Name="TargetUserSid">S-1-0-0</Data> <Data Name="TargetUserName">admin1</Data> <Data Name="TargetDomainName">domain</Data> <Data Name="Status">0xc0000234</Data> <Data Name="FailureReason">%%2307</Data> <Data Name="SubStatus">0x0</Data> <Data Name="LogonType">3</Data> <Data Name="LogonProcessName">NtLmSsp </Data> <Data Name="AuthenticationPackageName">NTLM</Data> <Data Name="WorkstationName">Server</Data> <Data Name="TransmittedServices">-</Data> <Data Name="LmPackageName">-</Data> <Data Name="KeyLength">0</Data> <Data Name="ProcessId">0x0</Data> <Data Name="ProcessName">-</Data> <Data Name="IpAddress">-</Data> <Data Name="IpPort">-</Data> </EventData> </Event> VT

Hi Juke / Milos any solutions pls let me knowVT

Hi, I found a troubleshooting guide, please refer to the acrticle to troubleshoot your issue. http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspxJuke Chou TechNet Community Support

A couple of other things to check: 1. Check the status of this account on each of the DC's - it appears it IS locked out, but you are not seeing it on the one you check 2. Check the account is not being used to run any services, there are no mapped drives using an old password, and no other scripts or scheduled tasks running with these credentials

Hi Juke & Richard...thanks for the input....I checked and found that there was a service using that admin account, hence I changed that. Even after that, I found the same thing happening in the same time frequency. I also tried to reset to the old password which didnt have any issue last month...but today, I checked its still the same. Another thing I tried is, used the eventcombMT tool and found this log...any clue please let me know...or any other recommendation, let me know... 4625,AUDIT FAILURE,Microsoft-Windows-Security-Auditing,Wed May 09 16:28:00 2012,No User,An account failed to log on. Subject: Security ID: S-1-0-0 Account Name: - Account Domain: - Logon ID: 0x0 Logon Type: 3 Account For Which Logon Failed: Security ID: S-1-0-0 Account Name: admin Account Domain: domain Failure Information: Failure Reason: %%2307 Status: 0xc0000234 Sub Status: 0x0 Process Information: Caller Process ID: 0x0 Caller Process Name: - Network Information: Workstation Name: client1 Source Network Address: 192.x.x.19 Source Port: 1380 Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0 This event is generated when a logon request fails. It is generated on the computer where access was attempted. The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe. The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network). The Process Information fields indicate which account and process on the system requested the logon. The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases. The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested. VT

The problem you are using is with the account you are using to logon with, the SID is "Nobody" See here:http://support.microsoft.com/kb/243330 Suggest you create a new user account and try again.

Hi, I also notice that the log mentioned the SID is null. Please try the Richard's suggestion to create a new account. Juke Chou TechNet Community Support

Thanks Richard and Juke...will try that...any clues what would have caused to change that? as it was fine till last month end. Pls let me know....is there a way I can find what changed it? VT

It could be that your server was created from an image that didn't generate new SID's, you can check your machines sid with http://technet.microsoft.com/en-us/sysinternals/bb897417.aspx Also, you check your local security policy property "Network Access: Sharing and security model for local accounts" found under "Security Options" - should be at the default setting of "Classic - local users authenticate as themselves"

Hi, Any update?Juke Chou TechNet Community Support

Hi Juke...created another user and it works fine...thanks for Richard and your helpVT

Hi, Welcome :) Glad to hear it works. Juke Chou TechNet Community Support