Question

Locked

Why does my AD account get locked out even after the GP is deactivated?

By mkoskenk ·
We were rolling out a new Group Policy to enhance the security by limiting the number of times people can type in the password incorrectly when logging on their Active Directory user account. The treshold was set to 5 incorrect logon attempts with 30 minutes lockout.

I first enabled the policy for test account and after few days without any problems, I enabled it also on my personal account. Things were ok for a while, but then my account started getting locked out even while I was logged in. Even more mystical, I disabled the GP but the account lockouts kept still occurring! As of late the frequency of the lockouts has gone down. Sometimes the situation is fine wihtout lockouts for several days, but other times I might have to unlock the account a couple of times in the row.

I've used the LockoutStatus software to track where the account lockout happens (we have 1 primary DC and 1 secondary DC) but it seems to happen on both DCs.

As much I like to find out the reason why wrong user credentials are supplied to the DC, at the moment the more pressing question seems to be "Why does my account get locked out even after the GP is deactivated". Any idea why this is happening?

**EDIT**
The account just went on lockdown again and after some digging on the DC that locked out the account, I found out that the computer sending out the wrong password was indeed the one I'm sitting at right now.

On the DC Event Viewer the following event was logged:

*********
Event I 4771

Security I MYDOMAIN\myusername

Service Name: krbtgt/MYDOMAINNAME

Client address: ::fff:my.internal.ip.address
Client port: 61261

Ticket Options: 0x40810010
Failure Code: 0x18
Pre-Authentication Type: 2
******

The Event Viewer will catch five of these events after which the Event ID will change to 4769 and Failure code to 0x12. After some googling the first failure code (0x1 means that incorrect password was supplied and the latter code (0x12) means that logon failed since the account is locked out.

So it would seem that I need to trace down some rogue program in which I have used my credentials and then updated the AD password but not the password on that software.

The question still stands valid, though.

This conversation is currently closed to new comments.

0 total posts (Page 1 of 1)  
| Thread display: Collapse - | Expand +

All Answers

Share your knowledge
Back to Networks Forum
0 total posts (Page 1 of 1)  

Related Forums