Re: account locked out multiple times per day

---

• From: "Henry Craven {SBS-MVP}" <sme@xxxxxxxxxxxxxx>
• Date: Fri, 20 Jul 2007 00:52:01 +1000

---

Run Procmon on the Workstation and see if you can pick up what's making the NTLM Calls

--
Henry Craven {SBS-MVP}


"Joseph O'Brien" <obrien1984@xxxxxxxxxxx> wrote in message news:1184853521.211882.207440@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx

I'm having a bizarre problem with an account that gets locked out
multiple times per day.

My account was previously a member of the domain admins group for a
long time. Bad, I know. So, recently I pulled the account from domain
admins and made it a member of domain users.

However, it seems like if I'm not a member of domain admins, my
account gets locked out every hour or two. From the SBS 2003 security
logs:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 7/18/2007
Time: 3:50:42 PM
User: NT AUTHORITY\SYSTEM
Computer: BIGSERVER01
Description:
Logon Failure:
Reason: Account locked out
User Name: jobrien
Domain: SERVER01
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: 606
Caller User Name: -
Caller Domain: -
Caller Logon ID: -
Caller Process ID: -
Transited Services: -
Source Network Address: 192.168.1.138
Source Port: 2193

Prior to this entry are multiple success audits from my account and
others, which seems normal.

I have checked my machine and others for scheduled processes that
might be running with my username, etc., but I don't see anything
unusual. The security policy is set to lock out accounts after 50
invalid login attempts. I assume that those invalid attempts should
show up in the security log, which they do not.

Can anyone give me advice on how to troubleshoot this?

Thanks.
Joseph

.

---

• Follow-Ups:
  • Re: account locked out multiple times per day
    • From: Dave Nickason [SBS MVP]

• References:
  • account locked out multiple times per day
    • From: Joseph O'Brien

• Prev by Date: Re: Question about WINDOWS Server 2003 SBS and domains
• Next by Date: Re: RAID 1 by software problem
• Previous by thread: account locked out multiple times per day
• Next by thread: Re: account locked out multiple times per day
• Index(es):
  • Date
  • Thread

---

Relevant Pages [EC-SA-01.2003] Windows XP "welcome screen" exposes the names of all the members of the l ... logon screen with what is called "Welcome Screen". ... (including the original administrator account, ... Using the "welcome screen" actually disables / ignores the security ... (Bugtraq) Re: ATTN : Microsoft - Security Event 529....Second Request for help.... ... According to the events, the logon ... failure is from the local machine account. ... disconnected from the network. ... Security Event ID 529 is a failure audit for logon/logoff. ... (microsoft.public.windows.server.sbs) RE: Event ID 529 on cleint workstation ... Security Event ID 529 is a failure audit for logon/logoff. ... "logon events" generate the events on domain controllers for domain account ... The Event 529 was caused by the machine account password not being ... I suggest that you re-join the client to ... (microsoft.public.windows.server.sbs) Re: Is it really true that NTFS is secure? ... The account Group got put back in the Administrator group again. ... Event Source: Security ... The logon to account: Administrator ... (microsoft.public.security) Risks Digest 25.73 ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ... (comp.risks)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.sbs  > 2007-07