Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Account Lockout Failure Audit events 672 & 675 on Windows Server 2003

Status
Not open for further replies.
sxmont

sxmont

IS-IT--Management
Sep 25, 2003
46
0
0
US
I have a user that keeps getting his account locked out. I was able to use the tools lockout status and EventCombMT to narrow some "things" down. I am still not sure what is causing this...

Here is from EventCombMT

672,AUDIT FAILURE,Security,Tue Sep 20 10:20:08 2011,NT AUTHORITY\SYSTEM,Authentication Ticket Request: User Name: john Supplied Realm Name: (MYDOMAIN) User ID: - Service Name: krbtgt/(MYDOMAIN) Service ID: - Ticket Options: 0x40810010 Result Code: 0x12 Ticket Encryption Type: - Pre-Authentication Type: - Client Address: 192.168.0.XXX Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint:

The above IP address is my Exchange server...

675,AUDIT FAILURE,Security,Tue Sep 20 09:00:59 2011,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: john User ID: %{S-1-5-21-1074559079-462299982-911163043-1339} Service Name: krbtgt/(MYDOMAIN) Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 192.168.0.XX Certificate Issuer Name: %7 Certificate Serial Number: %8 Certificate Thumbprint: %9

The above is my DC.

Now on The LOCKOUTSTATUS, I have to DC's, one of them has the globe in the background, which I assume is the Global Catalog Server...

I have been working on this issue for a little while, I need some assistance...
 
Sort by date Sort by votes
sxmont,
Has your user recently changed his password? Did he leave himself logged on a different machine somewhere?

When I had a user who repeated did the above, I would have to look at the security event logs on the DCs for ID 644 to find out what machine she left herself logged in on. Of course after changing her password, that machine kept trying to log her in with the now "wrong" password & would therefore lock her account.

Maybe this will help.

Kmills
 
Upvote 0 Downvote
Thank You for your reply.

I do not see any 644 errors. I have one DC that is 2003 and another that is Windows 2008. Why would the mail server lock the computer account out though? And of course, this account has to the principle of the firm's account... lol
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Aquiles Vidal
  • Locked
  • Question
Web Browsers in Windows Server or Terminal Server
Replies
0
Views
116
Aquiles Vidal
Aquiles Vidal
rzammit82
  • Locked
  • Question
Windows Server 2016 - DNS/AD problem
Replies
1
Views
142
suncit
suncit
MaioMaio
  • Question
Server Remote Desktop License
Replies
0
Views
101
MaioMaio
MaioMaio
antonio_dsanchez
  • Locked
  • Question
post-installation WSUS windows server 2016
Replies
0
Views
92
antonio_dsanchez
antonio_dsanchez
DTGMI
  • Locked
  • Question
WIN 10 Pro PC & Adding back to our Network
Replies
0
Views
89
DTGMI
DTGMI

Part and Inventory Search

Sponsor

Back
Top