AD accounts randomly locking on 1st login attempt

Mike G · 23-05-2008

I have several users that may or may not have an issue when they log into
their laptops using their AD accounts. On the first attempt the user will
get an error that the password/username they entered is incorrect. On the
second attempt they be notified their account is locked. This is not
happening for all users, only certain ones at random. I have verified the
lockout policy is set for 3 attempts. When i looked at one of the user's
security event logs I noticed the following 3 events:

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 05/20/2008
Time: 6:10:02 AM
User: NT AUTHORITY\SYSTEM
Computer: LAP-41614
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Smithj
Domain: ENTERPRISE
Logon Type: 2
Logon Process: Advapi
Authentication Package: Negotiate
Workstation Name: LAP-41614

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 05/20/2008
Time: 6:10:02 AM
User: NT AUTHORITY\SYSTEM
Computer: LAP-41614
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Smithj
Domain: ENTERPRISE
Logon Type: 11
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: LAP-41614

Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 05/20/2008
Time: 6:10:02 AM
User: NT AUTHORITY\SYSTEM
Computer: LAP-41614
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: Smithj
Domain: ENTERPRISE
Logon Type: 2
Logon Process: User32
Authentication Package: Negotiate
Workstation Name: LAP-41614

I pasted these in chronological order as displayed the the event viewer.
The next event reports the account is locked. Notice that these 3 all
occured at the same time. I did some research into the logon processes
mentioned and found that Advapi (not to be confused with Advapi32) could be
spyware and thus the cause. However, I am sure the Advapi mentioned is legit
as I checked several other PCs w/ no issues and found this same process
mentioned in those security event logs. Also this laptop in question is one
that was built and deployed to the user less than a day prior so, it is hard
to believe they went somewhere and got it. I also checked the user32 logon
process and found user32.exe is a known trojan. I scanned the laptop but
could not find any traces of it. Also like I mentioned prior, this is a
recently built laptop and it is hard to believe it is a trojan. I am certain
the user32 listed is actually user32.dll which appears to be a legit dll.

I checked several other users with these issues and found when their account
locked the security event log reported the same events. I checked on the
error listed event IDs and found ID 529 indicates the user tried to log in
with an unknown account (duh) or bad password (double duh,) but it doesn't
make any sense why windows is trying to log in 3 times on it's own in
succession.

All users are running XP Pro. I've verified the users have all the current
windows patches to date, including SP3. I've tried having them try with and
without a docking station, but none have worked. Does anyone have any
suggestion on what else to try? I've been banging my head against the wall
for a few weeks w/ no success.

Thanks.

Jorge Silva · 23-05-2008

Hi
Check if these accounts are being used in other sessions or services with
old PWs.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Paul Bergson [MVP-DS] · 23-05-2008

Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/d...displaylang=en

You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mike G" <MikeG@discussions.microsoft.com> wrote in message
news:BDC2378F-B22E-48CE-9EEA-7C8BFF91FA1C@microsoft.com...
>I have several users that may or may not have an issue when they log into
> their laptops using their AD accounts. On the first attempt the user will
> get an error that the password/username they entered is incorrect. On the
> second attempt they be notified their account is locked. This is not
> happening for all users, only certain ones at random. I have verified the
> lockout policy is set for 3 attempts. When i looked at one of the user's
> security event logs I noticed the following 3 events:
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 05/20/2008
> Time: 6:10:02 AM
> User: NT AUTHORITY\SYSTEM
> Computer: LAP-41614
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Smithj
> Domain: ENTERPRISE
> Logon Type: 2
> Logon Process: Advapi
> Authentication Package: Negotiate
> Workstation Name: LAP-41614
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 05/20/2008
> Time: 6:10:02 AM
> User: NT AUTHORITY\SYSTEM
> Computer: LAP-41614
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Smithj
> Domain: ENTERPRISE
> Logon Type: 11
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: LAP-41614
>
> Event Type: Failure Audit
> Event Source: Security
> Event Category: Logon/Logoff
> Event ID: 529
> Date: 05/20/2008
> Time: 6:10:02 AM
> User: NT AUTHORITY\SYSTEM
> Computer: LAP-41614
> Description:
> Logon Failure:
> Reason: Unknown user name or bad password
> User Name: Smithj
> Domain: ENTERPRISE
> Logon Type: 2
> Logon Process: User32
> Authentication Package: Negotiate
> Workstation Name: LAP-41614
>
> I pasted these in chronological order as displayed the the event viewer.
> The next event reports the account is locked. Notice that these 3 all
> occured at the same time. I did some research into the logon processes
> mentioned and found that Advapi (not to be confused with Advapi32) could
> be
> spyware and thus the cause. However, I am sure the Advapi mentioned is
> legit
> as I checked several other PCs w/ no issues and found this same process
> mentioned in those security event logs. Also this laptop in question is
> one
> that was built and deployed to the user less than a day prior so, it is
> hard
> to believe they went somewhere and got it. I also checked the user32
> logon
> process and found user32.exe is a known trojan. I scanned the laptop but
> could not find any traces of it. Also like I mentioned prior, this is a
> recently built laptop and it is hard to believe it is a trojan. I am
> certain
> the user32 listed is actually user32.dll which appears to be a legit dll.
>
> I checked several other users with these issues and found when their
> account
> locked the security event log reported the same events. I checked on the
> error listed event IDs and found ID 529 indicates the user tried to log in
> with an unknown account (duh) or bad password (double duh,) but it doesn't
> make any sense why windows is trying to log in 3 times on it's own in
> succession.
>
> All users are running XP Pro. I've verified the users have all the
> current
> windows patches to date, including SP3. I've tried having them try with
> and
> without a docking station, but none have worked. Does anyone have any
> suggestion on what else to try? I've been banging my head against the
> wall
> for a few weeks w/ no success.
>
> Thanks.
>

Mike G · 24-05-2008

Thanks for responding.

The users are only and have been logging into one machine at a time (their
own.) They have several mapped network drives, and access to them relies on
their one and only AD account. To be even more specific, any network
resource a user accesses is governed by one AD account per user and are all
on the same domain. Some users may have reset their AD password due to it
expiring because of the password policies, but all have logged off and cold
booted their machines at some point since then.

I tried using eventcombMT.exe but when searching, it is resolving the DCs
but the search contents are not reporting any events. For this to work am I
right in assuming debugging for NETLOGON on each DC needs to be active?

I will try to install alockout.dll to see if it will tell me what
authentication attempts the machine is making when the user fails to enter
their password correctly. Other than that are you aware of any other ways to
see what the PC is doing during a logon attempt. As previously mentioned,
when the user enters their password wrong on the 1st try after booting, the
event log of the user's machine shows 3 failed attempts to log on for their
actual one. Unfortunately the logs do not mention why they are doing it.

Thanks,
Mike

"Paul Bergson [MVP-DS]" wrote:

> Is the account logged into more than one machine or is it running a service
> on the same machine? A user could have mapped drives to a resource from one
> machine, on a different machine he changes his password and then the first
> machine attempts to stay mapped to a drive and the password is no longer
> correct and eventually locks the user out. Or after a password is changed a
> service is running that attempts to authenticate with an old password.
>
> To help try and track down where the account is getting locked out use
> eventcombMT.exe from the Account Lockout tools found out Microsoft's
> website. Use the built in search AccountLockouts and search in the created
> text files for the user in question.
>
> http://www.microsoft.com/downloads/d...displaylang=en
>
>
> You can also set the debug flag on NetLogon to track authentication. "This
> creates a text file on the PDC that can be examined to determine which
> clients are generating the bad password attempts."
> http://support.microsoft.com/kb/189541
> http://support.microsoft.com/kb/109626
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Mike G" <MikeG@discussions.microsoft.com> wrote in message
> news:BDC2378F-B22E-48CE-9EEA-7C8BFF91FA1C@microsoft.com...
> >I have several users that may or may not have an issue when they log into
> > their laptops using their AD accounts. On the first attempt the user will
> > get an error that the password/username they entered is incorrect. On the
> > second attempt they be notified their account is locked. This is not
> > happening for all users, only certain ones at random. I have verified the
> > lockout policy is set for 3 attempts. When i looked at one of the user's
> > security event logs I noticed the following 3 events:
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 05/20/2008
> > Time: 6:10:02 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: LAP-41614
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Smithj
> > Domain: ENTERPRISE
> > Logon Type: 2
> > Logon Process: Advapi
> > Authentication Package: Negotiate
> > Workstation Name: LAP-41614
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 05/20/2008
> > Time: 6:10:02 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: LAP-41614
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Smithj
> > Domain: ENTERPRISE
> > Logon Type: 11
> > Logon Process: User32
> > Authentication Package: Negotiate
> > Workstation Name: LAP-41614
> >
> > Event Type: Failure Audit
> > Event Source: Security
> > Event Category: Logon/Logoff
> > Event ID: 529
> > Date: 05/20/2008
> > Time: 6:10:02 AM
> > User: NT AUTHORITY\SYSTEM
> > Computer: LAP-41614
> > Description:
> > Logon Failure:
> > Reason: Unknown user name or bad password
> > User Name: Smithj
> > Domain: ENTERPRISE
> > Logon Type: 2
> > Logon Process: User32
> > Authentication Package: Negotiate
> > Workstation Name: LAP-41614
> >
> > I pasted these in chronological order as displayed the the event viewer.
> > The next event reports the account is locked. Notice that these 3 all
> > occured at the same time. I did some research into the logon processes
> > mentioned and found that Advapi (not to be confused with Advapi32) could
> > be
> > spyware and thus the cause. However, I am sure the Advapi mentioned is
> > legit
> > as I checked several other PCs w/ no issues and found this same process
> > mentioned in those security event logs. Also this laptop in question is
> > one
> > that was built and deployed to the user less than a day prior so, it is
> > hard
> > to believe they went somewhere and got it. I also checked the user32
> > logon
> > process and found user32.exe is a known trojan. I scanned the laptop but
> > could not find any traces of it. Also like I mentioned prior, this is a
> > recently built laptop and it is hard to believe it is a trojan. I am
> > certain
> > the user32 listed is actually user32.dll which appears to be a legit dll.
> >
> > I checked several other users with these issues and found when their
> > account
> > locked the security event log reported the same events. I checked on the
> > error listed event IDs and found ID 529 indicates the user tried to log in
> > with an unknown account (duh) or bad password (double duh,) but it doesn't
> > make any sense why windows is trying to log in 3 times on it's own in
> > succession.
> >
> > All users are running XP Pro. I've verified the users have all the
> > current
> > windows patches to date, including SP3. I've tried having them try with
> > and
> > without a docking station, but none have worked. Does anyone have any
> > suggestion on what else to try? I've been banging my head against the
> > wall
> > for a few weeks w/ no success.
> >
> > Thanks.
> >
>
>
>

Jorge Silva · 26-05-2008

What is the threshold before lock the PW? 3 sounds small, increase it for
15/20 to avoid unnecessary pw locks.

--
I hope that the information above helps you.
Have a Nice day.

Jorge Silva
MCSE, MVP Directory Services

Paul Bergson [MVP-DS] · 27-05-2008

If there is only 1 attempt and it is locking out, there is something else
going on. I can't tell you what but it has to be a service or a scheduled
job, etc... I have used the eventcomb many times and it has always helped
in tracking this down. I don't have much else for you, other than make sure
you are pointing it to all of your dc's it will search more than one at a
time.

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Mike G" <MikeG@discussions.microsoft.com> wrote in message
news:54D3F6C7-D2F0-4409-8092-137165110ABF@microsoft.com...
> Thanks for responding.
>
> The users are only and have been logging into one machine at a time (their
> own.) They have several mapped network drives, and access to them relies
> on
> their one and only AD account. To be even more specific, any network
> resource a user accesses is governed by one AD account per user and are
> all
> on the same domain. Some users may have reset their AD password due to it
> expiring because of the password policies, but all have logged off and
> cold
> booted their machines at some point since then.
>
> I tried using eventcombMT.exe but when searching, it is resolving the DCs
> but the search contents are not reporting any events. For this to work am
> I
> right in assuming debugging for NETLOGON on each DC needs to be active?
>
> I will try to install alockout.dll to see if it will tell me what
> authentication attempts the machine is making when the user fails to enter
> their password correctly. Other than that are you aware of any other ways
> to
> see what the PC is doing during a logon attempt. As previously mentioned,
> when the user enters their password wrong on the 1st try after booting,
> the
> event log of the user's machine shows 3 failed attempts to log on for
> their
> actual one. Unfortunately the logs do not mention why they are doing it.
>
> Thanks,
> Mike
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Is the account logged into more than one machine or is it running a
>> service
>> on the same machine? A user could have mapped drives to a resource from
>> one
>> machine, on a different machine he changes his password and then the
>> first
>> machine attempts to stay mapped to a drive and the password is no longer
>> correct and eventually locks the user out. Or after a password is
>> changed a
>> service is running that attempts to authenticate with an old password.
>>
>> To help try and track down where the account is getting locked out use
>> eventcombMT.exe from the Account Lockout tools found out Microsoft's
>> website. Use the built in search AccountLockouts and search in the
>> created
>> text files for the user in question.
>>
>> http://www.microsoft.com/downloads/d...displaylang=en
>>
>>
>> You can also set the debug flag on NetLogon to track authentication.
>> "This
>> creates a text file on the PDC that can be examined to determine which
>> clients are generating the bad password attempts."
>> http://support.microsoft.com/kb/189541
>> http://support.microsoft.com/kb/109626
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>>
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Mike G" <MikeG@discussions.microsoft.com> wrote in message
>> news:BDC2378F-B22E-48CE-9EEA-7C8BFF91FA1C@microsoft.com...
>> >I have several users that may or may not have an issue when they log
>> >into
>> > their laptops using their AD accounts. On the first attempt the user
>> > will
>> > get an error that the password/username they entered is incorrect. On
>> > the
>> > second attempt they be notified their account is locked. This is not
>> > happening for all users, only certain ones at random. I have verified
>> > the
>> > lockout policy is set for 3 attempts. When i looked at one of the
>> > user's
>> > security event logs I noticed the following 3 events:
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 05/20/2008
>> > Time: 6:10:02 AM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: LAP-41614
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Smithj
>> > Domain: ENTERPRISE
>> > Logon Type: 2
>> > Logon Process: Advapi
>> > Authentication Package: Negotiate
>> > Workstation Name: LAP-41614
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 05/20/2008
>> > Time: 6:10:02 AM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: LAP-41614
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Smithj
>> > Domain: ENTERPRISE
>> > Logon Type: 11
>> > Logon Process: User32
>> > Authentication Package: Negotiate
>> > Workstation Name: LAP-41614
>> >
>> > Event Type: Failure Audit
>> > Event Source: Security
>> > Event Category: Logon/Logoff
>> > Event ID: 529
>> > Date: 05/20/2008
>> > Time: 6:10:02 AM
>> > User: NT AUTHORITY\SYSTEM
>> > Computer: LAP-41614
>> > Description:
>> > Logon Failure:
>> > Reason: Unknown user name or bad password
>> > User Name: Smithj
>> > Domain: ENTERPRISE
>> > Logon Type: 2
>> > Logon Process: User32
>> > Authentication Package: Negotiate
>> > Workstation Name: LAP-41614
>> >
>> > I pasted these in chronological order as displayed the the event
>> > viewer.
>> > The next event reports the account is locked. Notice that these 3 all
>> > occured at the same time. I did some research into the logon processes
>> > mentioned and found that Advapi (not to be confused with Advapi32)
>> > could
>> > be
>> > spyware and thus the cause. However, I am sure the Advapi mentioned is
>> > legit
>> > as I checked several other PCs w/ no issues and found this same process
>> > mentioned in those security event logs. Also this laptop in question
>> > is
>> > one
>> > that was built and deployed to the user less than a day prior so, it is
>> > hard
>> > to believe they went somewhere and got it. I also checked the user32
>> > logon
>> > process and found user32.exe is a known trojan. I scanned the laptop
>> > but
>> > could not find any traces of it. Also like I mentioned prior, this is
>> > a
>> > recently built laptop and it is hard to believe it is a trojan. I am
>> > certain
>> > the user32 listed is actually user32.dll which appears to be a legit
>> > dll.
>> >
>> > I checked several other users with these issues and found when their
>> > account
>> > locked the security event log reported the same events. I checked on
>> > the
>> > error listed event IDs and found ID 529 indicates the user tried to log
>> > in
>> > with an unknown account (duh) or bad password (double duh,) but it
>> > doesn't
>> > make any sense why windows is trying to log in 3 times on it's own in
>> > succession.
>> >
>> > All users are running XP Pro. I've verified the users have all the
>> > current
>> > windows patches to date, including SP3. I've tried having them try
>> > with
>> > and
>> > without a docking station, but none have worked. Does anyone have any
>> > suggestion on what else to try? I've been banging my head against the
>> > wall
>> > for a few weeks w/ no success.
>> >
>> > Thanks.
>> >
>>
>>
>>