account locked at a regular basis

-

hi,

i'm suffering account lock problem account in ad. i'm admin.
i try identify server or desktop cause this, i'm not able identify source of problem.

i have checked computers i'm generaly connected validate no services or schedules run under account.
and apparently correct... sure there process causing problem.

my network use sql servers, moss servers etc... bunch of different applications.

the problem starts after change password (and not first time i'm doing this), rollback previous password problem still active.

using lockoutstatus tool, can see event:
06/26 15:43:45 [critical] nlprintrpcdebug: couldn't eeinfo i_netlogonsamlogonwithflags: 1761 (may legitimate 0xc0000234)

the event log of dc contains event this, , account locked:
675,audit failure,security,fri jun 26 15:43:45 2009,nt authority\system,pre-authentication failed:     user name: <my username>     user id:  %{s-1-5-21-1417001333-1682526488-839522115-27978}     service name: krbtgt/<domain>     pre-authentication type: 0x2     failure code: 0x18     client address: 127.0.0.1   


the client address logged 127.0.0.1 not valid one. (so don't know problem generated)

i'm lost, i'm not able identify problem.

any , guide appreciate.

hi,

 

thank reply.

 

yes, ip address means computer dc himself.

i suggest check following settings on dc:

 

·         stored user names , passwords retain redundant credentials: if of saved credentials same logon credential, should delete credentials. credentials redundant because windows tries logon credentials when explicit credentials not found. delete logon credentials, use stored user names , passwords tool.

 

·         scheduled tasks: scheduled processes may configured using user account incorrect password.

 

·         persistent drive mappings: persistent drives may have been established user account incorrect password.

 

for more information, please check following link:

 

http://technet.microsoft.com/en-us/library/cc773155(ws.10).aspx

 

in addition, notice dhcp service running on computer. please perform following steps check if dhcp server using user’s credential registry dns records:

 

1.    open dhcp management console.

2.    right click server , select properties.

3.    switch tab advanced , click credentials dns dynamic update registration.

 

if user being used, please correct password , restart service check if issue goes away.

 

if of settings have been checked still not able identify culprit, please download , install windows logon monitor on dc:

 

1.    access following space , download windows logon monitor.zip file

https://sftasia.one.microsoft.com/choosetransfer.aspx?key=ffacfff0-416d-44e8-b642-1e4d003cf0c7
password: q3ttnoks]l![)7g

2.    log onto dc administrator account, unzip file.

3.    open command prompt, change folder have saved windows logon monitor setup files.

4.    type wlmsetup /setup , , press enter.

5.    restart computer complete windows logon monitor setup process.

6.    after computer starts, please verify following registry entries correct:

under key hklm\system\currentcontrolset\control\lsa\wlmssp

debugflags                       (reg_dword)                   0x00000000           

processfilter                      (reg_multi_sz)                [blank]

userfilter                          (reg_multi_sz)                [blank]

logallprocess                     (reg_dword)                   1

logalluser                         (reg_dword)                   1

installed                           (reg_dword)                   1

when issue occurs, should see wlmssp events logged in event viewer. please collect mpsreport again , upload space.

 

https://sftasia.one.microsoft.com/choosetransfer.aspx?key=ffacfff0-416d-44e8-b642-1e4d003cf0c7
password: q3ttnoks]l![)7g

 

i forward response.



Windows Server  >  Security



Comments

Post a Comment

Popular posts from this blog

WIMMount (HSM) causing cluster storage to go redirected (2012r2 DC)

-
looking options resolve error , prevent in future. thanks help. hardware: 2 node dell hv cluster running2012r2 dc 8 nic/ea in multiplex mode 4x hyper-v 4x hosts storage: 2x synology nas, accessed through iscsi hosts , cluster relevant logs: log name:      microsoft-windows-failoverclustering/diagnostic source:        microsoft-windows-failoverclustering date:          event id:      2050 task category: none level:         warning keywords:       user:          system computer:      l description: [dcm] filter wimmount found @ unsafe altitude 180700 log name:      system source:        microsoft-windows-failoverclustering date:         event id:      5125 task category: cluster shared volume level:         warning keywords:       user:          system computer: description: cluster shared volume 'volume1' ('cluster disk 1') has identified 1 or more active filter drivers on device stack interfere csv operatio
Read more

Failed to delete the test record dcdiag-test-record in zone test.com

-
ps c:\users\administrator.test> dcdiag /test:dns directory server diagnosis performing initial setup:    trying find home server...    home server = dc02    * identified ad forest.    done gathering initial info. doing initial required tests    testing server: default-first-site-name\dc02       starting test: connectivity          ......................... dc02 passed test connectivity doing primary tests    testing server: default-first-site-name\dc02       starting test: dns          dns tests running , not hung. please wait few minutes...          ......................... dc02 passed test dns    running partition tests on : forestdnszones    running partition tests on : domaindnszones    running partition tests on : schema    running partition tests on : configuration    running partition tests on : test    running enterprise tests on : test.com       starting test: dns          test results domain
Read more

Azure MFA with Azure AD and RDS

-
i have setup following lab in azure , need help. a server (domain controller) , remote desktop services. and server multi factor authentication server. i have setup following one http://www.rdsgurus.com/uncategorized/step-by-step-using-windows-server-2012-r2-rd-gateway-with-azure-multifactor-authentication/ and when im connecting got following error. the user "domain\username", on client computer "xxx.xxx.xxx.xxx", did not meet connection authorization policy requirements , therefore not authorized access rd gateway server. authentication method used was: "ntlm" , connection protocol used: "rpc-http". following error occurred: "23003". also on security log i've got following authentication details: connection request policy name: ts gateway authorization policy network policy name: - authentication provider: radius proxy authentication server: test.test.local authentication type: - eap t
Read more