Domain Account keeping locking out with correct password every few minutes

Question

I have user whos account is keeping locking out every 30 minutes  Done all the checks  remove any cache passwords  created new profile  delete password from IE   It locks out even when user is using his account  he is logged in    After checking 20 servers I found that they is service running which causing his account to lock I think   675 AUDIT FAILURE Security Thu Dec 16 07 54 04 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   userid     User ID     id      Service Name   krbtgt DOMAIN     Pre-Authentication Type  0x2     Failure Code   0x12     Client Address   IP address       Does anyone know what is this   krbtgt DOMAIN      Key Distribution Center Service Account   Can some please explain this to me why this is happening and how i can fix this   675 AUDIT FAILURE Security Fri Dec 24 09 13 01 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   user id    User ID     id      Service Name   krbtgt Domain     Pre-Authentication Type  0x2     Failure Code   0x12     Client Address   172 16 5 1     675 AUDIT FAILURE Security Fri Dec 24 08 49 06 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   user id    User ID     id      Service Name   krbtgt Domain     Pre-Authentication Type  0x2     Failure Code   0x12     Client Address   172 16 5 102     644 AUDIT SUCCESS Security Fri Dec 24 08 49 06 2010 NT AUTHORITY SYSTEM User Account Locked Out      Target Account Name  user id    Target Account ID    id      Caller Machine Name  UKNML3266     Caller User Name  LONDON      Caller Domain  Domain     Caller Logon ID   0x0 0x3E7      675 AUDIT FAILURE Security Fri Dec 24 08 49 06 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   user id    User ID     id      Service Name   krbtgt Domain     Pre-Authentication Type  0x2     Failure Code   0x18     Client Address   172 16 5 102     675 AUDIT FAILURE Security Fri Dec 24 08 49 06 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   user id    User ID     id      Service Name   krbtgt Domain     Pre-Authentication Type  0x2     Failure Code   0x18     Client Address   172 16 5 102     675 AUDIT FAILURE Security Fri Dec 24 08 46 28 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   user id    User ID     id      Service Name   krbtgt Domain     Pre-Authentication Type  0x2     Failure Code   0x18     Client Address   172 16 5 8     675 AUDIT FAILURE Security Fri Dec 24 08 46 28 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   user id    User ID     id      Service Name   krbtgt Domain     Pre-Authentication Type  0x2     Failure Code   0x18     Client Address   172 16 5 8     675 AUDIT FAILURE Security Fri Dec 24 08 46 28 2010 NT AUTHORITY SYSTEM Pre-authentication failed      User Name   user id    User ID     id      Service Name   krbtgt Domain     Pre-Authentication Type  0x2     Failure Code   0x18     Client Address   172 16 5 8     c  sc0472 LONDON-Security LOG txt contains 8 parsed events

User · Answer

I think this highlights a serious deficiency in Windows. We have a (techincal) user account that we use for our system consisting of a windows service and websites, with the app pools configured to run as this user.

Our company has a security policy that after 5 bad passwords, it locks the account out.

Now finding out what locks out the account is practically impossible in a enterprise. When the account is locked out, the AD server should log from what process and what server caused the lock out.

I've looked into it and it (lock out tools) and it doesnt do this. only possible thing is a tool but you have to run it on the server and wait to see if any process is doing it. But in a enterprise with 1000s of servers thats impossible, you have to guess. Its crazy.

User · Answer

Try this solution from http   social technet microsoft com Forums en w7itprosecurity thread e1ef04fa-6aea-47fe-9392-45929239bd68     Microsoft Support found the problem for us   Our domain accounts were   locking when a Windows 7 computer was started   The Windows 7 computer   had a hidden old password from that domain account    There are   passwords that can be stored in the SYSTEM context that can t be seen   in the normal Credential Manager view       Download PsExec exe from http   technet microsoft com en-us sysinternals bb897553 aspx and copy   it to C  Windows System32       From a command prompt run     psexec -i -s -d cmd exe      From the new DOS window run   rundll32 keymgr dll KRShowKeyMgr      Remove any items that appear in the list of Stored User Names and Passwords   Restart the computer

User · Answer

We just had a similar issue  looks like the user reset his password on Friday and over the weekend and on Monday he kept getting locked out     Turned out to be he forgot to update his password on his mobile phone

User · Answer

You need to make sure that the clocks on all your servers are correct  Kerberos errors are normally caused by your server clock being out of sync with your domain   UPDATE  Failure code 0x12 very specifically means  Clients credentials have been revoked   which means that this error has happened once the account has been disabled  expired  or locked out   It would be useful to try and find the previous error messages if you think that the account was active - i e  this error message may not be the root cause  you will have different errors preceding this error  which cause the account to get locked   Ideally  to get a full answer  you will need to reactivate the account and keep an eye on the logs for an error occurring before the 0x12 error messages

User · Answer

Download Microsoft Account Lockout Tools  Use LockoutStatus to find the last DC that didn t pre-authenticate the user that is having issues  Note date and time  Log into that DC  find that timeframe and check Client Address  Logoff from those servers

User · Answer

May be the virus by name CONFLICKER try d exe tool from symantec on the machine hope your problem will be resolved  Check the security logs in domain controller and scan those machines because of this virus it creates bad passwords and lock the users

User · Answer

If your computer is on a domain  you can see Windows Password Rescuer Advanced   http   www daossoft com documents how-to-reset-windows-domian-account-password html

User · Answer

I have seen this problem when the user had set up a scheduled task to run under his account   He forgot to update the password on the task after he changed his account password   The scheduled task was trying to logon with the old password and kept locking out his account

User · Answer

Finally i found my problem  SQL Reporting Service was causing my account lockout  Stop and try  after confirm no more passwords bad attempts i should reconfigure reporting services service account ---Not at Service Properties  it is in Reporting Service own config--

[windows] Domain Account keeping locking out with correct password every few minutes

Examples related to windows

Examples related to active-directory

Examples related to windows-server-2003