Domain User Account Keeps Locking. No hints in logs

windows-7 active-directory windows-server-2003

11,129

Solution 1

Your Kerberos failure codes explained:

0x18 - The account is locked, is outside the logon hours, or the account is disabled
0xE - KDC has no support for the encryption type
0x12 - KDC Policy rejects request

Based on the 0xE and 0x12, you would want to first verify that the system time on that machine matches the time on your DCs, that the account has no logon hour restrictions, and is not disabled.

Also, what domain/ forest function level are you set to, and do you have any 2008/ 2008 R2 DCs?

Solution 2

I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).

We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.

Fun!

11,129

user630320

Updated on September 18, 2022

Comments

user630320 over 1 year

I have account which keep locking out every few mintues in AD.

I'm using Windows 7 Enterprise X64 PC I'm using Windows 2003 STD server

These are the things i have tried.

Created new profile.
Removed all printers and mapped drivers.
Used tool from microsoft ALtool ( I can't seem to find the log file under. c:\windows\debug).

Normally it should say in log files where the account is being lock but it doesn't say anything as you can see below.

These are the log files i have from my DC.

675,AUDIT FAILURE,Security,Thu Oct 20 09:17:26 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: username     User ID:  %{S-1-5-21-284166382-85745802-1543857936-28692}     Service Name: krbtgt/domain     Pre-Authentication Type: 0x0     Failure Code: 0x12     Client Address: ip address     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9    
644,AUDIT SUCCESS,Security,Thu Oct 20 08:24:17 2011,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: username     Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692}     Caller Machine Name:      Caller User Name: DC SERVER$     Caller Domain: domain     Caller Logon ID: (0x0,0x3E7)    
644,AUDIT SUCCESS,Security,Thu Oct 20 08:21:46 2011,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: username     Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692}     Caller Machine Name:      Caller User Name: DC SERVER$     Caller Domain: domain     Caller Logon ID: (0x0,0x3E7)    
644,AUDIT SUCCESS,Security,Thu Oct 20 08:16:55 2011,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: username     Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692}     Caller Machine Name:      Caller User Name: DC SERVER$     Caller Domain: domain     Caller Logon ID: (0x0,0x3E7)    
644,AUDIT SUCCESS,Security,Thu Oct 20 08:13:10 2011,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: username     Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692}     Caller Machine Name:      Caller User Name: DC SERVER$     Caller Domain: domain     Caller Logon ID: (0x0,0x3E7)    
644,AUDIT SUCCESS,Security,Thu Oct 20 08:09:25 2011,NT AUTHORITY\SYSTEM,User Account Locked Out:     Target Account Name: username     Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692}     Caller Machine Name:      Caller User Name: DC SERVER$     Caller Domain: domain     Caller Logon ID: (0x0,0x3E7)    
675,AUDIT FAILURE,Security,Thu Oct 20 07:50:08 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: username     User ID:  %{S-1-5-21-284166382-85745802-1543857936-28692}     Service Name: krbtgt/domain     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: ip address     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9    
675,AUDIT FAILURE,Security,Thu Oct 20 07:50:08 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: username     User ID:  %{S-1-5-21-284166382-85745802-1543857936-28692}     Service Name: krbtgt/domain     Pre-Authentication Type: 0x2     Failure Code: 0xE     Client Address: ip address     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9    
675,AUDIT FAILURE,Security,Thu Oct 20 07:49:59 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: username     User ID:  %{S-1-5-21-284166382-85745802-1543857936-28692}     Service Name: krbtgt/domain     Pre-Authentication Type: 0x2     Failure Code: 0x18     Client Address: ip address     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9    
675,AUDIT FAILURE,Security,Thu Oct 20 07:49:59 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed:     User Name: username     User ID:  %{S-1-5-21-284166382-85745802-1543857936-28692}     Service Name: krbtgt/domain     Pre-Authentication Type: 0x2     Failure Code: 0xE     Client Address: ip address     Certificate Issuer Name: %7     Certificate Serial Number: %8     Certificate Thumbprint: %9

Ben Campbell over 12 years

Has the user logged in elsewhere? Is there something sitting on the keyboard? No joke, have had this happen.
jftuga over 12 years

Does the user have a smart phone that automatically logs in and checks email? This may be using an old password.
user630320 over 12 years

User has desktop pc and laptop but he only use one of them at a time. no smart phones
user630320 over 12 years

nothing on keyboard
user630320 over 12 years

I'm still having problems with this. I have checked all PC which user logged onto. Check his anyother device e.g. smart phones. Account still locking out.

user630320 over 12 years

I did check the PC and server local time and they do match. We have 2003 and 2008 DC R2
user630320 over 12 years

I just dont understand why its not say where the account hsa been locked out. it should say PC1 has locked this user account but in our DC logs it just say account locked out.
Ben Campbell over 12 years

Are you still having this problem? What have you done from the PC end other than the above? Virus, malware checks? Can you remove from domain temporarily and check the behavior? I'd consider that... (Make sure you have a local admin account first.)