Random Account lockouts without failed logon attempts

Archived from groups: microsoft.public.windowsnt.domain (More info?)

Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few NT4
spk6a.

A user will login to the domain successfully and then log off, go have
lunch, come back, try to login and their account is locked out.

In reviewing the security logs from all DCs, I see ID 528 - successful
logon, 538 - successful log off, 539 - failed login due to account lockout,
642 - account has been changed and 644 - account locked out errors, I do not
see any 529 - failed logon attempt. This problems happen to about 500 - 1000
users per month. Now, some are caused because user passwords have expired and
they just forgot the new password, or they had CAP LOCK on, but in both these
case I see the 529 errors for these.

When looking at the accounts that are locked out , it shows that the account
that locked the users' account is SYSTEM which is done on the PDC.

There was a virus last year that did but the patch in place. They did have
there PDC crash and had to rebuild it a few months ago, but I do not see any
SAM replication errors on any of the BDCs, replication is happening
frequently. They are services running as the local SYSTEM account (which led
me to think that a service is doing this). The security team are doing their
thing I don't think they are telling us of all that they're doing ( not a
problem here being that security needs to do this). They did run a
vulnerability test on another domain which is now experiencing many accounts
being lockout (but no 529's). Another thing I thought of is a brute force
attack, but this would show 529's - there are none.

If it is not a virus, corruption, brute force attack or a service, then
what? I have read a lot of TechNet articles, but thing really pin points this
problem. One did state that 5722 ID's in the system log could mean corruption
(which they do have), but this would be further support by SAM replication
failures, which there is none.

Have anyone experienced this issue? and how did you fix it? what caused it?
4 answers Last reply
More about random account lockouts failed logon attempts
  1. Archived from groups: microsoft.public.windowsnt.domain (More info?)

    During normal business hours, replication happens about every 5 -10 minutes.
    Off peak hours 30 - 40 minutes. the event ID on PDC is 5711 and 5715 on the
    BDCs' ( rep time the same)

    on PDC desription; 5711
    The partial synchronization request from the server XXXXXXXXXX completed
    successfully. 1 changes(s) has(have) been returned to the caller.

    on BDC description; 5715
    The partial synchronization replication of the SAM database from the primary
    domain controller \\XXXXXXX completed successfully. 1 change(s) is(are)
    applied to the database.

    Now, one other thing, a few months ago they did have PDC failure and had to
    rebuild it. I do not what the process was, but things seem to be working
    fine.

    I feel that this is related to either a service running under the local
    SYSTEM context, that is flakey(or deliberate), or something within the
    environment that is dong this - the only draw back with option is, I do not
    see 529's - bad logon attemps. Some secuity probing tools can do this too, if
    they start as the SYSTEM account on the PDC.

    What are you thoughts?

    "Jonny G" wrote:

    > Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
    > running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few NT4
    > spk6a.
    >
    > A user will login to the domain successfully and then log off, go have
    > lunch, come back, try to login and their account is locked out.
    >
    > In reviewing the security logs from all DCs, I see ID 528 - successful
    > logon, 538 - successful log off, 539 - failed login due to account lockout,
    > 642 - account has been changed and 644 - account locked out errors, I do not
    > see any 529 - failed logon attempt. This problems happen to about 500 - 1000
    > users per month. Now, some are caused because user passwords have expired and
    > they just forgot the new password, or they had CAP LOCK on, but in both these
    > case I see the 529 errors for these.
    >
    > When looking at the accounts that are locked out , it shows that the account
    > that locked the users' account is SYSTEM which is done on the PDC.
    >
    > There was a virus last year that did but the patch in place. They did have
    > there PDC crash and had to rebuild it a few months ago, but I do not see any
    > SAM replication errors on any of the BDCs, replication is happening
    > frequently. They are services running as the local SYSTEM account (which led
    > me to think that a service is doing this). The security team are doing their
    > thing I don't think they are telling us of all that they're doing ( not a
    > problem here being that security needs to do this). They did run a
    > vulnerability test on another domain which is now experiencing many accounts
    > being lockout (but no 529's). Another thing I thought of is a brute force
    > attack, but this would show 529's - there are none.
    >
    > If it is not a virus, corruption, brute force attack or a service, then
    > what? I have read a lot of TechNet articles, but thing really pin points this
    > problem. One did state that 5722 ID's in the system log could mean corruption
    > (which they do have), but this would be further support by SAM replication
    > failures, which there is none.
    >
    > Have anyone experienced this issue? and how did you fix it? what caused it?
  2. Archived from groups: microsoft.public.windowsnt.domain (More info?)

    How frequent are the synchronization events? Can you post the
    event ids and descriptions?

    "Jonny G" <JonnyG@discussions.microsoft.com> wrote in message news:
    > Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
    > running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few
    NT4
    > spk6a.
    >
    > A user will login to the domain successfully and then log off, go have
    > lunch, come back, try to login and their account is locked out.
    >
    > In reviewing the security logs from all DCs, I see ID 528 - successful
    > logon, 538 - successful log off, 539 - failed login due to account
    lockout,
    > 642 - account has been changed and 644 - account locked out errors, I do
    not
    > see any 529 - failed logon attempt. This problems happen to about 500 -
    1000
    > users per month. Now, some are caused because user passwords have expired
    and
    > they just forgot the new password, or they had CAP LOCK on, but in both
    these
    > case I see the 529 errors for these.
    >
    > When looking at the accounts that are locked out , it shows that the
    account
    > that locked the users' account is SYSTEM which is done on the PDC.
    >
    > There was a virus last year that did but the patch in place. They did have
    > there PDC crash and had to rebuild it a few months ago, but I do not see
    any
    > SAM replication errors on any of the BDCs, replication is happening
    > frequently. They are services running as the local SYSTEM account (which
    led
    > me to think that a service is doing this). The security team are doing
    their
    > thing I don't think they are telling us of all that they're doing ( not a
    > problem here being that security needs to do this). They did run a
    > vulnerability test on another domain which is now experiencing many
    accounts
    > being lockout (but no 529's). Another thing I thought of is a brute force
    > attack, but this would show 529's - there are none.
    >
    > If it is not a virus, corruption, brute force attack or a service, then
    > what? I have read a lot of TechNet articles, but thing really pin points
    this
    > problem. One did state that 5722 ID's in the system log could mean
    corruption
    > (which they do have), but this would be further support by SAM replication
    > failures, which there is none.
    >
    > Have anyone experienced this issue? and how did you fix it? what caused
    it?
  3. Archived from groups: microsoft.public.windowsnt.domain (More info?)

    Jonny, I have a similiar issue with only a specific alpha-numeric user names
    getting locked out every 15 seconds. I am running 2003 domain. just got it
    today and fear it will spread. Nobody really has a clear answer to this issue
    but a resolution would be greatly appreciated.

    "Jonny G" wrote:

    > During normal business hours, replication happens about every 5 -10 minutes.
    > Off peak hours 30 - 40 minutes. the event ID on PDC is 5711 and 5715 on the
    > BDCs' ( rep time the same)
    >
    > on PDC desription; 5711
    > The partial synchronization request from the server XXXXXXXXXX completed
    > successfully. 1 changes(s) has(have) been returned to the caller.
    >
    > on BDC description; 5715
    > The partial synchronization replication of the SAM database from the primary
    > domain controller \\XXXXXXX completed successfully. 1 change(s) is(are)
    > applied to the database.
    >
    > Now, one other thing, a few months ago they did have PDC failure and had to
    > rebuild it. I do not what the process was, but things seem to be working
    > fine.
    >
    > I feel that this is related to either a service running under the local
    > SYSTEM context, that is flakey(or deliberate), or something within the
    > environment that is dong this - the only draw back with option is, I do not
    > see 529's - bad logon attemps. Some secuity probing tools can do this too, if
    > they start as the SYSTEM account on the PDC.
    >
    > What are you thoughts?
    >
    > "Jonny G" wrote:
    >
    > > Here is scenario; NT4 domain, DCs are at spk6a - 1 DC has MS Proxy service
    > > running- but used much, clients are mainly win2k spk4, 6 XP spk1 and few NT4
    > > spk6a.
    > >
    > > A user will login to the domain successfully and then log off, go have
    > > lunch, come back, try to login and their account is locked out.
    > >
    > > In reviewing the security logs from all DCs, I see ID 528 - successful
    > > logon, 538 - successful log off, 539 - failed login due to account lockout,
    > > 642 - account has been changed and 644 - account locked out errors, I do not
    > > see any 529 - failed logon attempt. This problems happen to about 500 - 1000
    > > users per month. Now, some are caused because user passwords have expired and
    > > they just forgot the new password, or they had CAP LOCK on, but in both these
    > > case I see the 529 errors for these.
    > >
    > > When looking at the accounts that are locked out , it shows that the account
    > > that locked the users' account is SYSTEM which is done on the PDC.
    > >
    > > There was a virus last year that did but the patch in place. They did have
    > > there PDC crash and had to rebuild it a few months ago, but I do not see any
    > > SAM replication errors on any of the BDCs, replication is happening
    > > frequently. They are services running as the local SYSTEM account (which led
    > > me to think that a service is doing this). The security team are doing their
    > > thing I don't think they are telling us of all that they're doing ( not a
    > > problem here being that security needs to do this). They did run a
    > > vulnerability test on another domain which is now experiencing many accounts
    > > being lockout (but no 529's). Another thing I thought of is a brute force
    > > attack, but this would show 529's - there are none.
    > >
    > > If it is not a virus, corruption, brute force attack or a service, then
    > > what? I have read a lot of TechNet articles, but thing really pin points this
    > > problem. One did state that 5722 ID's in the system log could mean corruption
    > > (which they do have), but this would be further support by SAM replication
    > > failures, which there is none.
    > >
    > > Have anyone experienced this issue? and how did you fix it? what caused it?
  4. Archived from groups: microsoft.public.windowsnt.domain (More info?)

    My thoughts are that they are not successfully replicating. An easy way to
    tell is to change the password for an account with domain admin privileges
    then use that account to logon locally to your BDCs. The BDC should
    contact the PDC for the change if it has not already occurred. Another
    way to tell is to create a new account then open a dos prompt on the
    PDC and all BDCs and run net users and verify the new account exists
    on each DC.

    It's possible they created a new PDC with the same name as the
    old domain instead of adding a BDC and promoting it to primary
    which would cause replication issues..


    "Jonny G" <JonnyG@discussions.microsoft.com> wrote in message news:
    > During normal business hours, replication happens about every 5 -10
    minutes.
    > Off peak hours 30 - 40 minutes. the event ID on PDC is 5711 and 5715 on
    the
    > BDCs' ( rep time the same)
    >
    > on PDC desription; 5711
    > The partial synchronization request from the server XXXXXXXXXX completed
    > successfully. 1 changes(s) has(have) been returned to the caller.
    >
    > on BDC description; 5715
    > The partial synchronization replication of the SAM database from the
    primary
    > domain controller \\XXXXXXX completed successfully. 1 change(s) is(are)
    > applied to the database.
    >
    > Now, one other thing, a few months ago they did have PDC failure and had
    to
    > rebuild it. I do not what the process was, but things seem to be working
    > fine.
    >
    > I feel that this is related to either a service running under the local
    > SYSTEM context, that is flakey(or deliberate), or something within the
    > environment that is dong this - the only draw back with option is, I do
    not
    > see 529's - bad logon attemps. Some secuity probing tools can do this too,
    if
    > they start as the SYSTEM account on the PDC.
    >
    > What are you thoughts?
    >
Ask a new question

Read More

Domain Windows