Domain Account keeping locking out with correct password every few minutes
I have user whos account is keeping locking out every 30 minutes. Done all the checks, remove any cache passwords, created new profile, delete password from IE.
It locks out even when user is using his account (he is logged in )
After checking 20 servers I found that they is service running which causing his account to lock I think.
675,AUDIT FAILURE,Security,Thu Dec 16 07:54:04 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: userid User ID: %{id} Service Name: krbtgt/DOMAIN Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: IP address
Does anyone know what is this.
krbtgt/DOMAIN
Key Distribution Center Service Account
Can some please explain this to me why this is happening and how i can fix this.
675,AUDIT FAILURE,Security,Fri Dec 24 09:13:01 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 172.16.5.1
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x12 Client Address: 172.16.5.102
644,AUDIT SUCCESS,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,User Account Locked Out: Target Account Name: user_id Target Account ID: %{id} Caller Machine Name: UKNML3266 Caller User Name: LONDON$ Caller Domain: Domain Caller Logon ID: (0x0,0x3E7)
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.102
675,AUDIT FAILURE,Security,Fri Dec 24 08:49:06 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.102
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.8
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.8
675,AUDIT FAILURE,Security,Fri Dec 24 08:46:28 2010,NT AUTHORITY\SYSTEM,Pre-authentication failed: User Name: user_id User ID: %{id} Service Name: krbtgt/Domain Pre-Authentication Type: 0x2 Failure Code: 0x18 Client Address: 172.16.5.8
c:\sc0472\LONDON-Security_LOG.txt contains 8 parsed events.
Answer
Try this solution from http://social.technet.microsoft.com/Forums/en/w7itprosecurity/thread/e1ef04fa-6aea-47fe-9392-45929239bd68
Microsoft Support found the problem for us. Our domain accounts were locking when a Windows 7 computer was started. The Windows 7 computer had a hidden old password from that domain account. There are passwords that can be stored in the SYSTEM context that can't be seen in the normal Credential Manager view.
Download
PsExec.exefrom http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it toC:\Windows\System32.From a command prompt run:
psexec -i -s -d cmd.exeFrom the new DOS window run:
rundll32 keymgr.dll,KRShowKeyMgrRemove any items that appear in the list of Stored User Names and Passwords. Restart the computer.