account getting locked out every 15 minutes

[jha1223]

681,AUDIT FAILURE,Security,Tue Oct 24 10:54:00 2006,NT
AUTHORITY\SYSTEM,The logon to account: hhossle by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation:
WHP-MACTIVEIMP failed. The error code was: 3221226036

Seen as event using EventCombMT. The user is not actively logged in to
the machine (via rdp or term serv). I have rebooted the server,
removed her profile from the server, and continue to have to reset her
password regularly. How do I track down what is using her old
credentials and locking her account? Thanks!

 

[Paul Bergson [MVP-DS]]

Check the services on WHP-MACTIVEIMP to see if there is any attempting to
logon as this user. Open up the services and review the logon as column
also check the scheduled tasks on this machine as well.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[jha1223]

I'm sorry, I should have clarified ... I've checked the services and
running processes - no go on either.

 

[Paul Bergson [MVP-DS]]

Try doing a search on her id within the registry, this may help pinpoint
what is using her id.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[jha1223]

Congratulations, you win the prize and I get a happy dba and a well
deserved night off! The scheduled task was using the users credentials
and not a service account. half the time spent on this was working on
finding out what server was actually using her auth. altools saved my
a$$. thanks for your help paul.

 

[Paul Bergson [MVP-DS]]

Good job!

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

Congratulations, you win the prize and I get a happy dba and a well
deserved night off! The scheduled task was using the users credentials
and not a service account. half the time spent on this was working on
finding out what server was actually using her auth. altools saved my
a$$. thanks for your help paul.

Try doing a search on her id within the registry, this may help pinpoint
what is using her id.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

I'm sorry, I should have clarified ... I've checked the services and
running processes - no go on either.
Paul Bergson [MVP-DS] wrote:
Check the services on WHP-MACTIVEIMP to see if there is any attempting
to
logon as this user. Open up the services and review the logon as
column
also check the scheduled tasks on this machine as well.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

681,AUDIT FAILURE,Security,Tue Oct 24 10:54:00 2006,NT
AUTHORITY\SYSTEM,The logon to account: hhossle by:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 from workstation:
WHP-MACTIVEIMP failed. The error code was: 3221226036

Seen as event using EventCombMT. The user is not actively logged in
to
the machine (via rdp or term serv). I have rebooted the server,
removed her profile from the server, and continue to have to reset
her
password regularly. How do I track down what is using her old
credentials and locking her account? Thanks!