Windows 7 account lock outs Event ID: 4776 Authentic Package: MICROSOFT_AUTHENTICATION_pACKAGE_V 1_0
Hello, hope someone can help, users are getting intermittently locked out by domain controllers which are Windows 2008 R2
hosted in VMWare VSphere 5.0.
They are logging on with local accounts to Windows 7 Enterprise desktops which are
not part of the domain. They connect to network shares,sharepoint,Instant Messenger by
provider their domain log on credentials.
Intermittently a DC will log a bad password and lock them out, preventing them from accessing
network resources, however their password has not changed.
The error log on the server shows the following:
Log Name: Security
Source: MS Windows Security
Event ID: 4776
Task Category: Credential Validation
Keywords: Audit Failure
Authentic Package: MICROSOFT_AUTHENTICATION_pACKAGE_V1_0
Logon Account: user's network log on account
Source Workstation: Users Windows 7 Desktop
Error Code: 0xc000006a
I have launched "control userpasswords2" from the run command and cleared any cached account passwords on the desktop machine but this did not fix the issue.
May 15th, 2012 6:01am
Hi,
This type issue occurs should be more related to domain controller settings.
I find a similar case from the third party website. For your reference:
http://eventid.net/display-eventid-4776-source-Microsoft-Windows-Security-Auditing-eventno-10736-phase-1.htm
If the issue persists after performing the steps above, I recommend you posting your problem on
Server Forum.Kim Zhou
TechNet Community Support
Free Windows Admin Tool Kit Click here and download it now
May 16th, 2012 5:35am
Hi Kim, thanks for your response, it's appreciated. The "Send LM & NTLM - use NTLMv2 session security if negotiated" option was already enabled in Local Security Policy.
However I have done the following additional steps, and it seems to be working OK for now:
Typed the following from the run box: rundll32.exe keymgr.dll KRShowKeyMgr or control userpasswords2 then go to Advanced - Manage Passwords and remove and locally cached accounts.
Open regedit and go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - set CachedLogonsCount to 0
Make a note of mapped drives then from a command prompt type: net use * /DELETE - to clear mapped drives, some of these were set to "connect as different user" which may have had old passwords cached
Open Local Group Policy Editor: type gpedit.msc - go to - Computer Configuration\Administrative Templates\System\User Profiles\Delete cached copies of roaming profiles - changed to "enable"
Regards
Ben
May 17th, 2012 8:05am
Hi Kim, thanks for your response, it's appreciated. The "Send LM & NTLM - use NTLMv2 session security if negotiated" option was already enabled in Local Security Policy.
However I have done the following additional steps, and it seems to be working OK for now:
Typed the following from the run box: rundll32.exe keymgr.dll KRShowKeyMgr or control userpasswords2 then go to Advanced - Manage Passwords and remove and locally cached accounts.
Open regedit and go to: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon - set CachedLogonsCount to 0
Make a note of mapped drives then from a command prompt type: net use * /DELETE - to clear mapped drives, some of these were set to "connect as different user" which may have had old passwords cached
Open Local Group Policy Editor: type gpedit.msc - go to - Computer Configuration\Administrative Templates\System\User Profiles\Delete cached copies of roaming profiles - changed to "enable"
Regards
Ben
Free Windows Admin Tool Kit Click here and download it now
May 17th, 2012 8:09am