Failure Audit - Account Logon

  • Thread starter Thread starter Daniel Pratt
  • Start date Start date
D

Daniel Pratt

We have been having trouble with one of our network users
constantly becoming locked out, and can't figure it out!

Here's the event log excerpt:
_____________________________________________
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 681
Date: 9/16/2003
Time: 11:31:54 AM
User: NT AUTHORITY\SYSTEM
Computer: (one of our server's name)
Description:
The logon to account: xxxxxx
by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
from workstation: (our email server's name)
failed. The error code was: 3221226036
_____________________________________________

I checked TechNet for the Event ID 681 and it's not found?

We've basically exhausted our resources trying to figure
this out... Any ideas? Any suggestions?

What can we do to prevent this user from constantly
becoming locked out of the network. This is NOT a
password problem, nor is it a matter of the user simply
mis-typing their password. It almost seems as though the
user is getting locked out every 45min-1hr throughout
their workday.

Daniel Pratt
MIS Systems Analyst
Great Blue Heron Charity Casino
Port Perry, Ontario
Canada
 
Are you using mapped drives?
Does the user have any services that are starting as that
user account?
Is the machine that's generating the account lockout the
machine they are logged into to?
 
Here's some more details on our situation...

The user logs on to their PC using their own login.
They open Outlook to connect to their exchange account.
They open something called "ReportSmith" (ADP) using a
separate login - not associated with A/D.

They can use their PC for a little while... but after a
little while (the timeframe varies) they become locked
out of the network.

The computer they are authenticating to is throwing the
error. But in the error, where it says "from
workstation:" it lists our email server's name.

As far as services loading with their user account -
nope, none that I can see.

The machine that is generating the lockout is one of our
Domain Controllers. The machine they are logging into to
is their own workstation.
 
I don't know if you have seen this already, but the account lockout
troubleshooting whitepaper is a very good resource for getting to the bottom
of account lockout issues..... look at alockout.dll which may help identify
the process that is locking the account out....

Lockout Whitepaper
http://www.microsoft.com/technet/tr...ndowsserver2003/maintain/operate/BPACTLCK.asp

Lockout tools (incl. alockout.dll)
http://download.microsoft.com/download/1/f/0/1f0e9569-3350-4329-b443-822976f29284/ALTools.exe

Also if the client is XP check for Stored Usernames and passwords see...
http://support.microsoft.com/default.aspx?scid=kb;en-us;281660

If there are no credentials stored check the profile for the credentials
file... if it is there delete it and reboot the client.

You can also disable stored credentials using the following Group Policy
setting or registry change.

New GPO for Computer Configuration:
Windows Settings --> Security Settings --> Local Policies --> Security
Options -->
Network access: Do not allow storage of credentials or .NET Passports for
network Authentication
This affects the following registry value:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\
Value Name: disabledomaincreds
Value Type: REG_DWORD
Values: 0 = allow domain credentials to be stored
1 = do not store domain credentials

HTH

Jody
 
Back
Top