Sign in with
Sign up | Sign in
Your question

Random Account lockouts without failed logon attempts

Last response: in Windows 2000/NT
Share
Anonymous
May 8, 2005 2:38:01 PM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few NT4
spk6a.

A user will login to the domain successfully and then log off, go have
lunch, come back, try to login and their account is locked out.

In reviewing the security logs from all DCs, I see ID 528 - successful
logon, 538 - successful log off, 539 - failed login due to account lockout,
642 - account has been changed and 644 - account locked out errors, I do not
see any 529 - failed logon attempt. This problems happen to about 500 - 1000
users per month. Now, some are caused because user passwords have expired and
they just forgot the new password, or they had CAP LOCK on, but in both these
case I see the 529 errors for these.

When looking at the accounts that are locked out , it shows that the account
that locked the users' account is SYSTEM which is done on the PDC.

There was a virus last year that did but the patch in place. They did have
there PDC crash and had to rebuild it a few months ago, but I do not see any
SAM replication errors on any of the BDCs, replication is happening
frequently. They are services running as the local SYSTEM account (which led
me to think that a service is doing this). The security team are doing their
thing I don't think they are telling us of all that they're doing ( not a
problem here being that security needs to do this). They did run a
vulnerability test on another domain which is now experiencing many accounts
being lockout (but no 529's). Another thing I thought of is a brute force
attack, but this would show 529's - there are none.

If it is not a virus, corruption, brute force attack or a service, then
what? I have read a lot of TechNet articles, but thing really pin points this
problem. One did state that 5722 ID's in the system log could mean corruption
(which they do have), but this would be further support by SAM replication
failures, which there is none.

Have anyone experienced this issue? and how did you fix it? what caused it?
Anonymous
May 9, 2005 11:44:01 AM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

During normal business hours, replication happens about every 5 -10 minutes.
Off peak hours 30 - 40 minutes. the event ID on PDC is 5711 and 5715 on the
BDCs' ( rep time the same)

on PDC desription; 5711
The partial synchronization request from the server XXXXXXXXXX completed
successfully. 1 changes(s) has(have) been returned to the caller.

on BDC description; 5715
The partial synchronization replication of the SAM database from the primary
domain controller \\XXXXXXX completed successfully. 1 change(s) is(are)
applied to the database.

Now, one other thing, a few months ago they did have PDC failure and had to
rebuild it. I do not what the process was, but things seem to be working
fine.

I feel that this is related to either a service running under the local
SYSTEM context, that is flakey(or deliberate), or something within the
environment that is dong this - the only draw back with option is, I do not
see 529's - bad logon attemps. Some secuity probing tools can do this too, if
they start as the SYSTEM account on the PDC.

What are you thoughts?

"Jonny G" wrote:

> Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
> running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few NT4
> spk6a.
>
> A user will login to the domain successfully and then log off, go have
> lunch, come back, try to login and their account is locked out.
>
> In reviewing the security logs from all DCs, I see ID 528 - successful
> logon, 538 - successful log off, 539 - failed login due to account lockout,
> 642 - account has been changed and 644 - account locked out errors, I do not
> see any 529 - failed logon attempt. This problems happen to about 500 - 1000
> users per month. Now, some are caused because user passwords have expired and
> they just forgot the new password, or they had CAP LOCK on, but in both these
> case I see the 529 errors for these.
>
> When looking at the accounts that are locked out , it shows that the account
> that locked the users' account is SYSTEM which is done on the PDC.
>
> There was a virus last year that did but the patch in place. They did have
> there PDC crash and had to rebuild it a few months ago, but I do not see any
> SAM replication errors on any of the BDCs, replication is happening
> frequently. They are services running as the local SYSTEM account (which led
> me to think that a service is doing this). The security team are doing their
> thing I don't think they are telling us of all that they're doing ( not a
> problem here being that security needs to do this). They did run a
> vulnerability test on another domain which is now experiencing many accounts
> being lockout (but no 529's). Another thing I thought of is a brute force
> attack, but this would show 529's - there are none.
>
> If it is not a virus, corruption, brute force attack or a service, then
> what? I have read a lot of TechNet articles, but thing really pin points this
> problem. One did state that 5722 ID's in the system log could mean corruption
> (which they do have), but this would be further support by SAM replication
> failures, which there is none.
>
> Have anyone experienced this issue? and how did you fix it? what caused it?
Anonymous
May 9, 2005 1:39:48 PM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

How frequent are the synchronization events? Can you post the
event ids and descriptions?

"Jonny G" <JonnyG@discussions.microsoft.com> wrote in message news:
> Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
> running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few
NT4
> spk6a.
>
> A user will login to the domain successfully and then log off, go have
> lunch, come back, try to login and their account is locked out.
>
> In reviewing the security logs from all DCs, I see ID 528 - successful
> logon, 538 - successful log off, 539 - failed login due to account
lockout,
> 642 - account has been changed and 644 - account locked out errors, I do
not
> see any 529 - failed logon attempt. This problems happen to about 500 -
1000
> users per month. Now, some are caused because user passwords have expired
and
> they just forgot the new password, or they had CAP LOCK on, but in both
these
> case I see the 529 errors for these.
>
> When looking at the accounts that are locked out , it shows that the
account
> that locked the users' account is SYSTEM which is done on the PDC.
>
> There was a virus last year that did but the patch in place. They did have
> there PDC crash and had to rebuild it a few months ago, but I do not see
any
> SAM replication errors on any of the BDCs, replication is happening
> frequently. They are services running as the local SYSTEM account (which
led
> me to think that a service is doing this). The security team are doing
their
> thing I don't think they are telling us of all that they're doing ( not a
> problem here being that security needs to do this). They did run a
> vulnerability test on another domain which is now experiencing many
accounts
> being lockout (but no 529's). Another thing I thought of is a brute force
> attack, but this would show 529's - there are none.
>
> If it is not a virus, corruption, brute force attack or a service, then
> what? I have read a lot of TechNet articles, but thing really pin points
this
> problem. One did state that 5722 ID's in the system log could mean
corruption
> (which they do have), but this would be further support by SAM replication
> failures, which there is none.
>
> Have anyone experienced this issue? and how did you fix it? what caused
it?
Related resources
Anonymous
May 9, 2005 6:49:14 PM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Jonny, I have a similiar issue with only a specific alpha-numeric user names
getting locked out every 15 seconds. I am running 2003 domain. just got it
today and fear it will spread. Nobody really has a clear answer to this issue
but a resolution would be greatly appreciated.

"Jonny G" wrote:

> During normal business hours, replication happens about every 5 -10 minutes.
> Off peak hours 30 - 40 minutes. the event ID on PDC is 5711 and 5715 on the
> BDCs' ( rep time the same)
>
> on PDC desription; 5711
> The partial synchronization request from the server XXXXXXXXXX completed
> successfully. 1 changes(s) has(have) been returned to the caller.
>
> on BDC description; 5715
> The partial synchronization replication of the SAM database from the primary
> domain controller \\XXXXXXX completed successfully. 1 change(s) is(are)
> applied to the database.
>
> Now, one other thing, a few months ago they did have PDC failure and had to
> rebuild it. I do not what the process was, but things seem to be working
> fine.
>
> I feel that this is related to either a service running under the local
> SYSTEM context, that is flakey(or deliberate), or something within the
> environment that is dong this - the only draw back with option is, I do not
> see 529's - bad logon attemps. Some secuity probing tools can do this too, if
> they start as the SYSTEM account on the PDC.
>
> What are you thoughts?
>
> "Jonny G" wrote:
>
> > Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
> > running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few NT4
> > spk6a.
> >
> > A user will login to the domain successfully and then log off, go have
> > lunch, come back, try to login and their account is locked out.
> >
> > In reviewing the security logs from all DCs, I see ID 528 - successful
> > logon, 538 - successful log off, 539 - failed login due to account lockout,
> > 642 - account has been changed and 644 - account locked out errors, I do not
> > see any 529 - failed logon attempt. This problems happen to about 500 - 1000
> > users per month. Now, some are caused because user passwords have expired and
> > they just forgot the new password, or they had CAP LOCK on, but in both these
> > case I see the 529 errors for these.
> >
> > When looking at the accounts that are locked out , it shows that the account
> > that locked the users' account is SYSTEM which is done on the PDC.
> >
> > There was a virus last year that did but the patch in place. They did have
> > there PDC crash and had to rebuild it a few months ago, but I do not see any
> > SAM replication errors on any of the BDCs, replication is happening
> > frequently. They are services running as the local SYSTEM account (which led
> > me to think that a service is doing this). The security team are doing their
> > thing I don't think they are telling us of all that they're doing ( not a
> > problem here being that security needs to do this). They did run a
> > vulnerability test on another domain which is now experiencing many accounts
> > being lockout (but no 529's). Another thing I thought of is a brute force
> > attack, but this would show 529's - there are none.
> >
> > If it is not a virus, corruption, brute force attack or a service, then
> > what? I have read a lot of TechNet articles, but thing really pin points this
> > problem. One did state that 5722 ID's in the system log could mean corruption
> > (which they do have), but this would be further support by SAM replication
> > failures, which there is none.
> >
> > Have anyone experienced this issue? and how did you fix it? what caused it?
Anonymous
May 10, 2005 4:41:15 PM

Archived from groups: microsoft.public.windowsnt.domain (More info?)

My thoughts are that they are not successfully replicating. An easy way to
tell is to change the password for an account with domain admin privileges
then use that account to logon locally to your BDCs. The BDC should
contact the PDC for the change if it has not already occurred. Another
way to tell is to create a new account then open a dos prompt on the
PDC and all BDCs and run net users and verify the new account exists
on each DC.

It's possible they created a new PDC with the same name as the
old domain instead of adding a BDC and promoting it to primary
which would cause replication issues..


"Jonny G" <JonnyG@discussions.microsoft.com> wrote in message news:
> During normal business hours, replication happens about every 5 -10
minutes.
> Off peak hours 30 - 40 minutes. the event ID on PDC is 5711 and 5715 on
the
> BDCs' ( rep time the same)
>
> on PDC desription; 5711
> The partial synchronization request from the server XXXXXXXXXX completed
> successfully. 1 changes(s) has(have) been returned to the caller.
>
> on BDC description; 5715
> The partial synchronization replication of the SAM database from the
primary
> domain controller \\XXXXXXX completed successfully. 1 change(s) is(are)
> applied to the database.
>
> Now, one other thing, a few months ago they did have PDC failure and had
to
> rebuild it. I do not what the process was, but things seem to be working
> fine.
>
> I feel that this is related to either a service running under the local
> SYSTEM context, that is flakey(or deliberate), or something within the
> environment that is dong this - the only draw back with option is, I do
not
> see 529's - bad logon attemps. Some secuity probing tools can do this too,
if
> they start as the SYSTEM account on the PDC.
>
> What are you thoughts?
>
!