AD accounts randomly locking on 1st login attempt
- From: Mike G <MikeG@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 22 May 2008 12:11:03 -0700
I have several users that may or may not have an issue when they log into
their laptops using their AD accounts. On the first attempt the user will
get an error that the password/username they entered is incorrect. On the
second attempt they be notified their account is locked. This is not
happening for all users, only certain ones at random. I have verified the
lockout policy is set for 3 attempts. When i looked at one of the user's
security event logs I noticed the following 3 events:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 05/20/2008
Time: 6:10:02 AM
User: NT AUTHORITY\SYSTEM
Computer: LAP-41614
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Smithj
Domain: ENTERPRISE
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: LAP-41614
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 05/20/2008
Time: 6:10:02 AM
User: NT AUTHORITY\SYSTEM
Computer: LAP-41614
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Smithj
Domain: ENTERPRISE
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: LAP-41614
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 05/20/2008
Time: 6:10:02 AM
User: NT AUTHORITY\SYSTEM
Computer: LAP-41614
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Smithj
Domain: ENTERPRISE
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: LAP-41614
I pasted these in chronological order as displayed the the event viewer.
The next event reports the account is locked. Notice that these 3 all
occured at the same time. I did some research into the logon processes
mentioned and found that Advapi (not to be confused with Advapi32) could be
spyware and thus the cause. However, I am sure the Advapi mentioned is legit
as I checked several other PCs w/ no issues and found this same process
mentioned in those security event logs. Also this laptop in question is one
that was built and deployed to the user less than a day prior so, it is hard
to believe they went somewhere and got it. I also checked the user32 logon
process and found user32.exe is a known trojan. I scanned the laptop but
could not find any traces of it. Also like I mentioned prior, this is a
recently built laptop and it is hard to believe it is a trojan. I am certain
the user32 listed is actually user32.dll which appears to be a legit dll.
I checked several other users with these issues and found when their account
locked the security event log reported the same events. I checked on the
error listed event IDs and found ID 529 indicates the user tried to log in
with an unknown account (duh) or bad password (double duh,) but it doesn't
make any sense why windows is trying to log in 3 times on it's own in
succession.
All users are running XP Pro. I've verified the users have all the current
windows patches to date, including SP3. I've tried having them try with and
without a docking station, but none have worked. Does anyone have any
suggestion on what else to try? I've been banging my head against the wall
for a few weeks w/ no success.
Thanks.
.
- Follow-Ups:
- Re: AD accounts randomly locking on 1st login attempt
- From: Paul Bergson [MVP-DS]
- Re: AD accounts randomly locking on 1st login attempt
- From: Jorge Silva
- Re: AD accounts randomly locking on 1st login attempt
- Prev by Date: Re: Permissions to join computers to domain
- Next by Date: Re: creating trust relationship
- Previous by thread: Re: Removing Server from one domain add to another
- Next by thread: Re: AD accounts randomly locking on 1st login attempt
- Index(es):
Relevant Pages
|
Loading
