Go Back   Tech Support Forum > Microsoft Support > Windows 7 , Windows Vista Support

User Tag List

[SOLVED] Constant Account Lockouts

This is a discussion on [SOLVED] Constant Account Lockouts within the Windows 7 , Windows Vista Support forums, part of the Tech Support Forum category. I've been battling an issue the last few days of a user being locked out 25 times a day. I


Closed Thread
 
Thread Tools Search this Thread
Old 07-18-2014, 07:09 AM   #1
Registered Member
 
nhammen09's Avatar
 
Join Date: Apr 2013
Location: Pomeroy, IA
Posts: 98
OS: Linux Mint 17.3, Deepin, Ubuntu 16.10, Fedora 24



I've been battling an issue the last few days of a user being locked out 25 times a day. I don't have any leads from the security log on the AD server. The lockout is occuring from the user's system from the look of the logs and it mentions Advapi quite a bit, so it has to be occuring when logging into CompanyWeb. None of the logs mentions a bad username or password. I have attached 2 of the most common log entries below (modified for security).

#1

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: theuser
Account Domain: DOMAIN

Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0

Process Information:
Caller Process ID: 0x0
Caller Process Name: -

Network Information:
Workstation Name: BADCOMPUTER
Source Network Address: USERPC
Source Port: 50667

Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


#2

An account failed to log on.

Subject:
Security ID: NETWORK SERVICE
Account Name: SERVER$
Account Domain: DOMAIN
Logon ID: 0x3e4

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: theuser
Account Domain: DOMAIN

Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0

Process Information:
Caller Process ID: 0x60a8
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
Workstation Name: SERVER
Source Network Address: USERPC
Source Port: 50435

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


#3

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: SERVER$
Account Domain: DOMAIN
Logon ID: 0x3e7

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: theuser
Account Domain: DOMAIN

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID: 0x1794
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
Workstation Name: SERVER
Source Network Address: USERPC
Source Port: 50655

Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0


Any help would be appreciated. There are no "logon" failure events that mention this user, but the account seems to get locked out around 25 times a day.

Thanks everyone.
nhammen09 is offline  
Sponsored Links
Advertisement
 
Old 07-18-2014, 09:08 AM   #2
Moderator
- Microsoft Support
 
djaburg's Avatar
 
Join Date: May 2008
Location: San Diego, CA
Posts: 5,143
OS: XP SP3/Vista/7 Server 2K/2K3/2K8 Linux



Is it possible that the user has his smartphone trying to connect to the network causing this?

You can also check this for more information on trying to determine the cause.

It's also possible that they could have a worm/virus on their computer like the Conficker worm.
__________________

From time to time, we have been tempted to believe that society has become too complex to be managed by self-rule, that government by an elite group is superior to government for, by, and of the people. But if no one among us is capable of governing himself, then who among us has the capacity to govern someone else?
-Ronald Reagan, 1981 Inaugural Address-
djaburg is offline  
Old 07-18-2014, 09:27 AM   #3
TSF Enthusiast
 
Join Date: Jan 2012
Posts: 165
OS: Windows 7



If you're not able to find anything from following what djaburg has posted, you might want to give this a try: Account Lockout Tools.

We had a similar thing happening to one of our users and the Lockoutstatus tool helped us to determine the issue.
cgc018 is offline  
Sponsored Links
Advertisement
 
Old 07-18-2014, 10:36 AM   #4
Registered Member
 
nhammen09's Avatar
 
Join Date: Apr 2013
Location: Pomeroy, IA
Posts: 98
OS: Linux Mint 17.3, Deepin, Ubuntu 16.10, Fedora 24



djaburg, I have verified with 3 malware scans that there is no active infection. She does not use her smartphone on the network since they don't utilize WIFI at this site. I am going to run the ALT too see what I can find on that. I have also cleared out her scheduled tasks and disabled startup items in msconfig. I will keep you posted when I get more information and results.
nhammen09 is offline  
Old 07-21-2014, 01:01 AM   #5
TSF Emeritus
 
Join Date: Mar 2007
Location: South Australia
Posts: 15,079
OS: Windows 8.1



Hello nhammen09

I see this all the time at work. Here are the basic things to do first.

Is the user logged into any other computer?
-Did they select switch user instead of logging of a computer one day?

Download Lockoutstaus as suggested by cgc018 (this is a great tool)
-Have your user shut down any computer they are logged into
-Unlock the users account either with AD or LockOutstatus
-Keep an eye out on Lockoutstatus for Bad Password Attempts (give it a good amount of time) you will have to press f5 to refresh.

If the bad password attempt goes up it is an issue with something other than the PC (As the PC should be off)
-Do other systems use the same password as the LAN password? For example
--Exchange?
--Any Syncs with any different programs?
--Any syncs with any web portals?
--Are you sure they are logged of another computer

If the bad password counts do go up its pretty safe to say its from the machine end. One of the main things to check from here is inside the Windows Credential Manager and just delete any stored passwords.

Have you tried a full profile reset?

This may seem like its asking more questions that Answering yours, but its just a case of pin pointing the cause.
Go The Power is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search

Similar Threads
Thread Thread Starter Forum Replies Last Post
new initial diagnostic tool - DDS
**edit 12/14/08** A current sample and brief synopsis of the dds.txt is posted in the Reading Room. Recalling the discussion begun here for a tool to replace DSS.exe in our pre-posting sticky...
tetonbob The Security Hole 886 07-19-2015 12:11 PM
Published: HOW TO GET 2 INBOXES TO WORK SEPARATELY IN OUTLOOK 2007.
Please edit Post #10, not this one. ARTICLE: HOW TO GET 2 INBOXES TO WORK SEPARATELY IN OUTLOOK2007 Written By: Marc Busch (BIGBEARJEDI) Date: 02/22/2014.
BIGBEARJEDI Dead-Sea Scrolls 17 03-27-2014 09:11 AM
Unable to open programs
Good Morning, A friend called me the other night. He was unable to open any programs on his PC. Gets a message like: The specified service does not exist as an installed service. Click help for more information error code 0x80070424". I picked it up from him and tried to install Anti...
mrmuggyd Resolved HJT Threads 28 02-27-2013 02:34 PM
Network/computer hacker
First thing is first network was hacked and claimed by one of my neighbors, I went through trouble getting it back but the problems started there with my first computer same operating system as the one i am using now. Then the yahoo google and bing redirect virus was intensely messing with my...
ktruok Virus/Trojan/Spyware Help 2 11-22-2011 04:39 PM

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is on
Smilies are on
[IMG] code is on
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Post a Question


» Site Navigation
 > FAQ
  > 10.0.0.2
Powered by vBadvanced CMPS v3.2.3


All times are GMT -7. The time now is 11:18 PM.


Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2020, vBulletin Solutions, Inc.
vBulletin Security provided by vBSecurity v2.2.2 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
User Alert System provided by Advanced User Tagging v3.1.0 (Pro) - vBulletin Mods & Addons Copyright © 2020 DragonByte Technologies Ltd.
Copyright 2001 - 2018, Tech Support Forum

Windows 10 - Windows 7 - Windows XP - Windows Vista - Trojan Removal - Spyware Removal - Virus Removal - Networking - Security - Top Web Hosts