Re: Admin Account locked out every hour.

Tech-Archive recommends: Fix windows errors by optimizing your registry

---

• From: "Jorge de Almeida Pinto [MVP]" <SubstituteThisWithMyFullNameSeparatedByDots@xxxxxxxxx>
• Date: Tue, 21 Feb 2006 11:21:30 +0100

---

To find on which DC or server or client the problems are originating turn on
NETLOGON DEBUGGING. That will produce a NETLOGON.LOG file in the DEBUG
directory (%WINDIR%\DEBUG).
Using the NLPARSE tool (from the Account Lockout and Management Tools -
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en)
it will help you "read" the NETLOGON.LOG
As the account lockouts are probably caused by a wrong password start
NLPARSE and open the netlogon.log file and check the third option
(0xC000006A).

Start doing this at the PDC FSMO. In that netlogon.log file you will find
something (after extracting which goes into netlogon.log - out.csv) like the
following:

transitive network logon <domain name>\<user account> (via <computer>)
0xC000006A

do the same at computer <computer>. and with the same I mean enabling
netlogon debugging, extracting the file, reading it and possibly going to
another machine... In the end you will find the machine that is causing the
account lockouts

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG --> http://blogs.dirteam.com/blogs/jorge/default.aspx
-----------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
-----------------------------------------------------------------------------


-----------------------------------------------------------------------------
"Paul Bergson" <pbergson@xxxxxxxxxx> wrote in message
news:%23dHFWOoNGHA.3284@xxxxxxxxxxxxxxxxxxxxxxx

The dcdiag may provide the info needed to determine the issue. You should
run as previously described.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA
http://www.pbbergs.com/

This posting is provided "AS IS" with no warranties, and confers no
rights.


"Serventek" <Serventek@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:890A13A6-BCB6-466C-9707-E685CC4C51AB@xxxxxxxxxxxxxxxx

I rebooted several times since the issue started occuring. All the errors
that I posted really are just saying that someone is trying to log in
using
the administrator account and basically using the wrong password. I feel
that if I can find out what is running everyhour then I can determine the
job
or process that is responsible for using the account and old password.
BTW -
the logs show that this authentication (every hour) was happening
successfuly
before the password changed.
--
Thanks -LRG


"Paul Bergson" wrote:

I am not certain on this but it appears that Kerberos is having trouble
authenticating. I would simply attempt to reboot the dc and see if that
helps (Although you have probably already done that).

You could look at the link below on Kerberos troubleshooting:
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

Also you should consider running diagnostics against your dc to see if
there
are any underlying issues.

Go to http://www.pbbergs.com

Select downloads and select the DCDiag and NetDiag Gui this will provide
a
front end GUI for diagnostics for your network.

--
Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA


"Serventek" wrote:

We changed the administrator account's password and since then we have
been
seeing it locked out every hour. I have the lockout tools from
microsoft.
The lockout originates from the domain controller DC1. Every hour I
get this
error in the event log of DC1.


Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 2/17/2006
Time: 5:00:14 PM
User: NT AUTHORITY\SYSTEM
Computer: DC1
Description:
Pre-authentication failed:
User Name: Administrator
User ID: companyname\Administrator
Service Name: krbtgt/companyname
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 127.0.0.1

I have triple checked the services and all processes running on the
server.
None seem to using the Administrator account. Eventcomb shows the
following
errors every hour:

675,AUDIT FAILURE,Security,Mon Feb 17 17:00:12 2006,NT
AUTHORITY\SYSTEM,Pre-authentication failed: User Name:
Administrator
User ID: %{S-1-5-21-1118139714-1942908946-495535119-5467} Service
Name:
krbtgt/companyname Pre-Authentication Type: 0x2 Failure Code:
0x18
Client Address: 127.0.0.1


I turned on Netlogon logging which logs the following every hour:

02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Entered
02/17 17:00:52 [LOGON] companyname: SamLogon: Network logon of
companyname\administrator from DC1 Returns 0xC0000234

Kerberos logs the following at around the time:


Event Type: Error
Event Source: Kerberos
Event Category: None
Event ID: 3
Date: 2/17/2006
Time: 5:00:16 PM
User: N/A
Computer: DC1
Description:
A Kerberos Error Message was received:
on logon session companyname.COM\dc1$
Client Time:
Server Time: 1:3:42.0000 2/20/2006 Z
Error Code: 0x18 KDC_ERR_PREAUTH_FAILED
Extended Error:
Client Realm:
Client Name:
Server Realm: companyname
Server Name: krbtgt/companyname
Target Name: krbtgt/companyname@companyname
Error Text:
File: e
Line: 6bc
Error Data is in record data.

I find it interesting that the account lockout events above occur
every hour
all day and that the source address is 127.0.0.1, which means that the
source
is itself (domain controller, DC1). I have checked schedule jobs in
the
controll panel and through the AT command as well. Nothing is schedule
via
these.

Thanks -LRG

.

---

• Follow-Ups:
  • Re: Admin Account locked out every hour.
    • From: Paul Bergson

• References:
  • Admin Account locked out every hour.
    • From: Serventek
  • RE: Admin Account locked out every hour.
    • From: Paul Bergson
  • RE: Admin Account locked out every hour.
    • From: Serventek
  • Re: Admin Account locked out every hour.
    • From: Paul Bergson

• Prev by Date: Re: unable to add machine accounts to domain
• Next by Date: understanding certificate autoenrollment
• Previous by thread: Re: Admin Account locked out every hour.
• Next by thread: Re: Admin Account locked out every hour.
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Windows Server 2003 Security Guide issue ... or the SChannel security level policy? ... > I've noted the same beaviour even if I attempt to connect from the DC1 ... > machine to any other client joined to domain (and not only to standalone ... > events are logged not on the server nor on the clients. ... (microsoft.public.win2000.security) Time synchronization problems ... Windows 2003 Standard Server. ... Windows clients do not synchronize the time with the DC1. ... If I run “net time” on a client computer I get: ... Running partition tests on: DomainDnsZones ... (microsoft.public.windows.server.general) Re: GPO causing client security logs to fill? ... Enabled Small Business Server Remote Assistance Policy No ... titled "Client Logon Failure". ... So basically, the Account lockout threshold, account lockout ... (microsoft.public.windows.server.sbs) Re: Domain Controller DNS Error ... Systems Administrator ... and several others have stated that the DC1 is pingable by name and ... the server from a client. ... Ar they using tonly their local dns server? ... (microsoft.public.windows.server.active_directory) Re: Domain Controller DNS Error ... We are running DNS on a Windows 2000 member server because it was our ... DC2 has always pointed at DC1 for DNS and it can successfully be ... I changed DC1's client DNS settings and rebooted it. ... (microsoft.public.windows.server.active_directory)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-02