My admin-account in our Datacenter get's permanently locked and I have to unlock it again and again with our general Datacenter-Administrator. I want it to stop, but I don't know who locks my account and on which machine that happens.
We have several Server 2003, 2008 and 2008 R2 Servers in our Datacenter.
Our 3 Domain Controllers are running 2 x Server 2008 and 1 x Server 2008 R2.
How can I track down from which client, on which Server my user get's permanently locked out?
Update: With LockOutStatus.exe I found out that last lockout time was 13:19. At this time, I have EventID 4771 logged on our DC.
It tells me the Client-Address of one of our Terminal-Servers with Servicename "krbtgt/domain" Failure Code 0x18 and Pre-Authentication Type 2.
I looked for errors on that terminalserver but didn't found some Kerberos related. I did found GPO-related Errors on Systemlog of that terminalserver: EventID 1006 with ErrorCode 49. In fact I was logged on at this Terminalserver this time. But not tomorrow. This won't be the "root-error". Any thouhts what to do to find the problem?
Update / solved: There were 4 Sessions on a few servers where my user was logged on (but disconnected) using old-credentials. I used LockOutStatus.exe to find the time when my user was last locked. Then I looked at security logs and found an Event with ID 4771 which holds the client's IP that caused my user to lock out. I logged out the session, unlocked my user-account and waited for the next session/server to lock my user. I repeated that until my user didn't get locked out again.
Thanks to you for your good answers and tips 🙂
Best Answer
Is it possible that you have a disconnected session with your user account on that server? If you recently changed your password, then any disconnected but active sessions on a server/workstation could result in something like that.
If not:
I would try and enable process tracking in addition to logon tracking. This will enable you to see which process was started at the time the logon failure and ultimately the lock-out occurred.
On Win2k8 those event ids are 4688 when a process starts, and 4689 when the process exits. Deciphering that can a bit tricky though.
You could try and install an evaluation version of EventSentry (I am affiliated with), which normalizes logon and process data and stores it in a database for easy searching. E.g., you can see which processes were running at the time, search through logon events across multiple servers and so forth. However, setting up EventSentry just for this purpose might be overkill.
Did you check your scheduled tasks to make sure no tasks are configured under your user account?