Domain User Account Keeps Locking. No hints in logs
Solution 1
Your Kerberos failure codes explained:
0x18 - The account is locked, is outside the logon hours, or the account is disabled
0xE - KDC has no support for the encryption type
0x12 - KDC Policy rejects request
Based on the 0xE and 0x12, you would want to first verify that the system time on that machine matches the time on your DCs, that the account has no logon hour restrictions, and is not disabled.
Also, what domain/ forest function level are you set to, and do you have any 2008/ 2008 R2 DCs?
Solution 2
I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).
We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.
Fun!
Related videos on Youtube
user630320
Updated on September 18, 2022Comments
-
user630320 over 1 year
I have account which keep locking out every few mintues in AD.
I'm using Windows 7 Enterprise X64 PC I'm using Windows 2003 STD server
These are the things i have tried.
- Created new profile.
- Removed all printers and mapped drivers.
- Used tool from microsoft ALtool ( I can't seem to find the log file under. c:\windows\debug).
Normally it should say in log files where the account is being lock but it doesn't say anything as you can see below.
These are the log files i have from my DC.
675,AUDIT FAILURE,Security,Thu Oct 20 09:17:26 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x0 Failure Code: 0x12 Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9 644,AUDIT SUCCESS,Security,Thu Oct 20 08:24:17 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7) 644,AUDIT SUCCESS,Security,Thu Oct 20 08:21:46 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7) 644,AUDIT SUCCESS,Security,Thu Oct 20 08:16:55 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7) 644,AUDIT SUCCESS,Security,Thu Oct 20 08:13:10 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7) 644,AUDIT SUCCESS,Security,Thu Oct 20 08:09:25 2011,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: username Target Account ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Caller Machine Name: Caller User Name: DC SERVER$ Caller Domain: domain Caller Logon ID: (0x0,0x3E7) 675,AUDIT FAILURE,Security,Thu Oct 20 07:50:08 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9 675,AUDIT FAILURE,Security,Thu Oct 20 07:50:08 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0xE Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9 675,AUDIT FAILURE,Security,Thu Oct 20 07:49:59 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9 675,AUDIT FAILURE,Security,Thu Oct 20 07:49:59 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: username User ID: %{S-1-5-21-284166382-85745802-1543857936-28692} Service Name: krbtgt/domain Pre-Authentication Type: 0x2 Failure Code: 0xE Client Address: ip address Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9
-
Ben Campbell over 12 yearsHas the user logged in elsewhere? Is there something sitting on the keyboard? No joke, have had this happen.
-
jftuga over 12 yearsDoes the user have a smart phone that automatically logs in and checks email? This may be using an old password.
-
user630320 over 12 yearsUser has desktop pc and laptop but he only use one of them at a time. no smart phones
-
user630320 over 12 yearsnothing on keyboard
-
user630320 over 12 yearsI'm still having problems with this. I have checked all PC which user logged onto. Check his anyother device e.g. smart phones. Account still locking out.
-
user630320 over 12 yearsI did check the PC and server local time and they do match. We have 2003 and 2008 DC R2
-
user630320 over 12 yearsI just dont understand why its not say where the account hsa been locked out. it should say PC1 has locked this user account but in our DC logs it just say account locked out.
-
Ben Campbell over 12 yearsAre you still having this problem? What have you done from the PC end other than the above? Virus, malware checks? Can you remove from domain temporarily and check the behavior? I'd consider that... (Make sure you have a local admin account first.)