# [SOLVED] Constant Account Lockouts



## nhammen09 (Apr 9, 2013)

I've been battling an issue the last few days of a user being locked out 25 times a day. I don't have any leads from the security log on the AD server. The lockout is occuring from the user's system from the look of the logs and it mentions Advapi quite a bit, so it has to be occuring when logging into CompanyWeb. None of the logs mentions a bad username or password. I have attached 2 of the most common log entries below (modified for security).

#1

An account failed to log on.

Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0

Logon Type: 3

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: theuser
Account Domain: DOMAIN

Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0

Process Information:
Caller Process ID:	0x0
Caller Process Name:	-

Network Information:
Workstation Name:	BADCOMPUTER
Source Network Address:	USERPC
Source Port: 50667

Detailed Authentication Information:
Logon Process: NtLmSsp 
Authentication Package:	NTLM
Transited Services:	-
Package Name (NTLM only):	-
Key Length: 0


#2

An account failed to log on.

Subject:
Security ID: NETWORK SERVICE
Account Name: SERVER$
Account Domain: DOMAIN
Logon ID: 0x3e4

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: theuser
Account Domain: DOMAIN

Failure Information:
Failure Reason: Account locked out.
Status: 0xc0000234
Sub Status: 0x0

Process Information:
Caller Process ID:	0x60a8
Caller Process Name:	C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
Workstation Name:	SERVER
Source Network Address:	USERPC
Source Port: 50435

Detailed Authentication Information:
Logon Process: Advapi 
Authentication Package:	Negotiate
Transited Services:	-
Package Name (NTLM only):	-
Key Length: 0


#3

An account failed to log on.

Subject:
Security ID: SYSTEM
Account Name: SERVER$
Account Domain: DOMAIN
Logon ID: 0x3e7

Logon Type: 8

Account For Which Logon Failed:
Security ID: NULL SID
Account Name: theuser
Account Domain: DOMAIN

Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a

Process Information:
Caller Process ID:	0x1794
Caller Process Name:	C:\Windows\System32\inetsrv\w3wp.exe

Network Information:
Workstation Name:	SERVER
Source Network Address:	USERPC
Source Port: 50655

Detailed Authentication Information:
Logon Process: Advapi 
Authentication Package:	Negotiate
Transited Services:	-
Package Name (NTLM only):	-
Key Length: 0


Any help would be appreciated. There are no "logon" failure events that mention this user, but the account seems to get locked out around 25 times a day.

Thanks everyone.


----------



## djaburg (May 15, 2008)

*Re: Constant Account Lockouts*

Is it possible that the user has his smartphone trying to connect to the network causing this?

You can also check this for more information on trying to determine the cause.

It's also possible that they could have a worm/virus on their computer like the Conficker worm.


----------



## cgc018 (Jan 22, 2012)

*Re: Constant Account Lockouts*

If you're not able to find anything from following what djaburg has posted, you might want to give this a try: Account Lockout Tools. 

We had a similar thing happening to one of our users and the Lockoutstatus tool helped us to determine the issue.


----------



## nhammen09 (Apr 9, 2013)

*Re: Constant Account Lockouts*

djaburg, I have verified with 3 malware scans that there is no active infection. She does not use her smartphone on the network since they don't utilize WIFI at this site. I am going to run the ALT too see what I can find on that. I have also cleared out her scheduled tasks and disabled startup items in msconfig. I will keep you posted when I get more information and results.


----------



## Go The Power (Mar 5, 2007)

*Re: Constant Account Lockouts*

Hello nhammen09

I see this all the time at work. Here are the basic things to do first.

Is the user logged into any other computer?
-Did they select switch user instead of logging of a computer one day?

Download Lockoutstaus as suggested by cgc018 (this is a great tool)
-Have your user shut down any computer they are logged into
-Unlock the users account either with AD or LockOutstatus
-Keep an eye out on Lockoutstatus for Bad Password Attempts (give it a good amount of time) you will have to press f5 to refresh.

If the bad password attempt goes up it is an issue with something other than the PC (As the PC should be off)
-Do other systems use the same password as the LAN password? For example
--Exchange?
--Any Syncs with any different programs?
--Any syncs with any web portals?
--Are you sure they are logged of another computer

If the bad password counts do go up its pretty safe to say its from the machine end. One of the main things to check from here is inside the Windows Credential Manager and just delete any stored passwords.

Have you tried a full profile reset?

This may seem like its asking more questions that Answering yours, but its just a case of pin pointing the cause.


----------

