Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

User account being locked out without user ever logging on


  • Please log in to reply
6 replies to this topic

#1 DnDer

DnDer

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 14 October 2009 - 09:27 AM

This is what the security log looks like most mornings. It's only in the last 2 days that the user has been locked out when starting the workday.

I've heard it could be outlook, stored passwords, something to do with adobe... There seems to be no consensus as to what could cause these types of errors. Looking at this, can anyone give me a better idea of what to hunt for when resolving this problem?

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3512


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3514


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3516


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:02 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 529
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Unknown user name or bad password
 	User Name:	[user]
 	Domain:		[domain]
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID:	476
 	Transited Services:	-
 	Source Network Address:	10.1.x.x
 	Source Port:	3518


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:03 AM	   Category: Account Login
Type: Failure Aud	   Event ID: 680
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon attempt by:	MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:	[user]
 Source Workstation:	[pdc]
 Error Code:	0xC000006A


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

Date: [today]			 Source: Security
Time: 7:07:03 AM	   Category: Logon/Logoff
Type: Failure Aud	   Event ID: 539
User: NT AUTHORITY\SYSTEM
Computer: [pdc]

Logon Failure:
 	Reason:		Account locked out
 	User Name:	[user]
 	Domain:	NCU
 	Logon Type:	3
 	Logon Process:	Advapi  
 	Authentication Package:	Negotiate
 	Workstation Name:	[pdc]
 	Caller User Name:	[pdc]$
 	Caller Domain:	[domain]
 	Caller Logon ID:	(0x0,0x3E7)
 	Caller Process ID: 476
 	Transited Services: -
 	Source Network Address:	10.1.x.x
 	Source Port:	3521


For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.


BC AdBot (Login to Remove)

 


#2 phoeneous

phoeneous

  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:01:58 PM

Posted 20 October 2009 - 09:44 PM

Do they have a mobile phone that gets domain email? If the password is configured incorrectly on the phone e.g. ActiveSync it will lock them out if a lockout policy is enforced.

Edited by phoeneous, 20 October 2009 - 09:45 PM.


#3 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 21 October 2009 - 08:56 AM

They do not. We don't allow mobile devices connected to network resources like that.

#4 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 PM

Posted 21 October 2009 - 10:02 AM

Have you read this? Seems to answer your questions

Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#5 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 21 October 2009 - 10:39 AM

MS says disable the welcome screen and use the classic logon.
All computers in the domain use a classic logon instead of the XP welcome page that displays local accounts. That occurs as soon as a computer is joined to the domain.

Obtain latest service pack for Server 03
We're already running Server '03 with SP2. With the exception of the latest releases from MS' patch day this week, we should have everything current for SPs and hotfixes.

Apply the hotfix that is mentioned in this article to the Windows Server 2003-based member computer.
Did I miss the link for the specific hotfix? I saw links for "how to download the latest service pack," but I keep reading for a link to a hotfix... and I can't see it.

Disable auditing, disable the welcome screen
Can't disable auditing, that's CIO's word on that one, and I can't change that.

The welcome screen, as above, is disabled when each computer joins the domain. The classic logon is used.

#6 CaveDweller2

CaveDweller2

  • Members
  • 2,629 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:04:58 PM

Posted 21 October 2009 - 05:45 PM

Well upon reading that, would you agree that it is an OS issue ant not a networking issue? Perhaps asking in the OS section would be better?

Hope this helps thumbup.gif

Associate in Applied Science - Network Systems Management - Trident Technical College


#7 DnDer

DnDer
  • Topic Starter

  • Members
  • 646 posts
  • OFFLINE
  •  
  • Local time:03:58 PM

Posted 22 October 2009 - 08:33 AM

Which OS? Is it more a server issue that's registering credentials wrong? Or is it an XP issue that a machine is giving passwords wrong automatically somewhere? I see the errors, but I'm still not sure which side the problem is originating on: something with AD, or something with the user's computer?




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users