G
Guest
Hello,
In our company, Active Directory many user accounts are being locked out
while the corresponding users are working on PCs with Windows 2000
professional SP4.
The domain account lockout policy is configured to lock out the user acocunt
after 3 wrong passwords.
When asked, users say they did not consciously entered their username or
password to logon to another system. Sometimes, the accounts are even locked
out when they were in a meeting and the Windows session was locked.
Furthermore, user's confirm they do not work on more than one PC
simultaneously.
The computers's local security event log shows three times the following
event at 4 seconds interval:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User:NT AUTHORITY\SYSTEM
Computer: COMPUTER1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: USER1
Domain: OUR_DOMAIN
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: COMPUTER1
And then
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER1
Description:
Logon Failure:
Reason: Account locked out
User Name: EGE
Domain: OUR_DOMAIN
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: GV2W280
The security event log on one of our Windows 2003 SP1 domain controllers
show event 644 ("User Account Locked Out"). User's PC is mentioned in the
event as "Caller Machine Name".
I even activated notlogon tracking on the domain controllers and the
nelogon.log shows that user account is always being locked out FROM user's
computer.
My question: has someone an idea on what I can do to troubleshoot what is
actually sending from user's Windows session an authentication request to the
domain controllers with their username and a wrong password ?
Any help would be very much appreciated
Ezéchiel Darvas
Switzerland
In our company, Active Directory many user accounts are being locked out
while the corresponding users are working on PCs with Windows 2000
professional SP4.
The domain account lockout policy is configured to lock out the user acocunt
after 3 wrong passwords.
When asked, users say they did not consciously entered their username or
password to logon to another system. Sometimes, the accounts are even locked
out when they were in a meeting and the Windows session was locked.
Furthermore, user's confirm they do not work on more than one PC
simultaneously.
The computers's local security event log shows three times the following
event at 4 seconds interval:
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
User:NT AUTHORITY\SYSTEM
Computer: COMPUTER1
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: USER1
Domain: OUR_DOMAIN
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: COMPUTER1
And then
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
User: NT AUTHORITY\SYSTEM
Computer: COMPUTER1
Description:
Logon Failure:
Reason: Account locked out
User Name: EGE
Domain: OUR_DOMAIN
Logon Type: 7
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: GV2W280
The security event log on one of our Windows 2003 SP1 domain controllers
show event 644 ("User Account Locked Out"). User's PC is mentioned in the
event as "Caller Machine Name".
I even activated notlogon tracking on the domain controllers and the
nelogon.log shows that user account is always being locked out FROM user's
computer.
My question: has someone an idea on what I can do to troubleshoot what is
actually sending from user's Windows session an authentication request to the
domain controllers with their username and a wrong password ?
Any help would be very much appreciated
Ezéchiel Darvas
Switzerland