Fellow Techies,
I have a weird issue. I audit log on events (success and failure) on our Windows 2003 SP1 DCs.
I’ve noticed many failed 675 events:
Pre-authentication failed:
User Name: Jo Blog
User ID: MyDomain\JoBlog
Service Name: krbtgt/mydomain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: xx.xx.xx.xx
The type and code indicates that it was an interactive logon (type 0x2) and the account has been disabled, locked out or expired.
Now the thing is that for some users this event does not increment (or record) badPwdCount – the bad password count in AD. Also, these accounts are neither disabled, expired or locked.
The accounts are intermittent, and no real pattern in this.
Does anyone have an idea why?
Regards,
I have a weird issue. I audit log on events (success and failure) on our Windows 2003 SP1 DCs.
I’ve noticed many failed 675 events:
Pre-authentication failed:
User Name: Jo Blog
User ID: MyDomain\JoBlog
Service Name: krbtgt/mydomain
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: xx.xx.xx.xx
The type and code indicates that it was an interactive logon (type 0x2) and the account has been disabled, locked out or expired.
Now the thing is that for some users this event does not increment (or record) badPwdCount – the bad password count in AD. Also, these accounts are neither disabled, expired or locked.
The accounts are intermittent, and no real pattern in this.
Does anyone have an idea why?
Regards,