Hi ,
You could also check for any scheduled tasks that might be using the
user's credentials to start the task on the client machine. You can
get the client IP address from the event viewer....
You can also analyse the event logs in the following way :-
1) Use EventCombMT.exe to collect the security and system event logs
(.evt format) from the PDC, authenticating DC, and client computers
that user logs onto.
2) Run Lockoutstatus.exe against locked out user account to find which
DCs are involved in the lockout
3)Gather Netlogon.log files from the PDC and other DCs involved in
account lockout
4) Use Nlparse.exe to parse Netlogon logs for account lockout related events
Do let me know if this was of any help..
kind regards
Tima
On 1/18/07, Miguel Sarri <msarri@gmail.com> wrote:
Take a look at services, specifically you could search for services
running as an user account (with expired password?).
I had the same problem and it was a service that was running with an old
password.
Also you could take a look at the computer account in your DC, and look
the logs of logon.
Did you check it with another user in that box?
Did you check that user in another box?
Regards.
gary@aspectcapital.com escribió:
> Hi,
>
> I Have a user who keeps getting his account locked out, but I cannot work out
why. I use the alockout tools, to get me
the following
>
> Wed Jan 17 08:40:00 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL
- DLL_PROCESS_ATTACH
> Wed Jan 17 08:40:12 2007, PID: 1872, Thread: 2284, Image xcopy,ALOCKOUT.DLL
- dll_process_detatch
> Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jan 17 09:50:29 2007, PID: 3216, Thread: 2920, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
> Wed Jan 17 09:52:19 2007, PID: 2648, Thread: 3160, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jan 17 09:52:20 2007, PID: 2648, Thread: 3160, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
> Wed Jan 17 09:53:32 2007, PID: 2040, Thread: 1388, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jan 17 09:53:33 2007, PID: 2040, Thread: 1388, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
> Wed Jan 17 09:53:57 2007, PID: 2264, Thread: 2060, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jan 17 09:53:58 2007, PID: 2264, Thread: 2060, Image
C:\PROGRA~1\MICROS~4\OFFICE11\OUTLOOK.EXE,ALOCKOUT.DLL - dll_process_detatch
> Wed Jan 17 09:54:15 2007, PID: 656, Thread: 3368, Image
taskmgr.exe,ALOCKOUT.DLL - DLL_PROCESS_ATTACH
> Wed Jan 17 09:54:41 2007, PID: 656, Thread: 3368, Image
taskmgr.exe,ALOCKOUT.DLL - dll_process_detatch.
>
> Looking on my dc's I hae the following entries
>
> Service Ticket Request Failed:
> User Name: shallensleben
> User Domain: ASPECTCAPITAL.COM
> Service Name: exchangeMDB/VEGA2
> Ticket Options: 0x40800000
> Failure Code: 0x12
> Client Address: 172.16.x.x
>
> Authentication Ticket Request Failed:
> User Name: shallensleben
> Supplied Realm Name: ASPECTCAPITAL.COM
> Service Name: krbtgt/ASPECTCAPITAL.COM
> Ticket Options: 0x40810010
> Failure Code: 0x12
> Client Address: 172.16.x.x
>
> I have also checked for the obvious mapped netowrk drives, runas, saving
credentials etc. all of which are absent.
>
> This is the only user in the domain that gets locked out. He does switch
between out wireless and network environment, which I believe should not
contribute to the problem?
>
> Does anyone have any ideas?
>
> Thanks in advance,
>
