community.spiceworks.com
Open in
urlscan Pro
45.60.15.212
Public Scan
URL:
https://community.spiceworks.com/topic/844194-frequent-account-locked-out-event-id-4740
Submission: On September 18 via manual from NZ — Scanned from NZ
Submission: On September 18 via manual from NZ — Scanned from NZ
Form analysis 1 forms found in the DOM
<form>
<i class="1695074991465 mag-glass"></i>
<input class="1695074991465 search-input" autocomplete="off" placeholder="Search Spiceworks">
<i class="clean-icon"></i>
<div class="1695074991465 trending-topics"></div>
<div class="1695074991465 search-box-results"></div>
</form>Text Content
Home * News & Insights * News & Insights Home * Artificial Intelligence * Innovation * IT Careers & Skills * Cloud * Cyber Security * Future of Work * All Categories * Marketing * HR * Finance * Community * Ask question * Community Home * Spiceworks Originals * Cloud * Collaboration * Networking * Water Cooler * Windows * All forums * How-Tos * Scripts * Vendors * Meetups * Reviews * Online Events Login Join Login Join * Home * Windows * General Windows FREQUENT ACCOUNT LOCKED OUT - EVENT ID 4740 Posted by SimonL on Mar 17th, 2015 at 8:40 AM General Windows We have frequent account locks out that seem to be origination at user's workstations: A user account was locked out. Subject: Security ID: S-1-5-18 Account Name: DomainController$ Account Domain: NT_DOMAIN Logon ID: 0x3e7 Account That Was Locked Out: Security ID: S-1-5-21-2030126595-979527223-1756834886-1337 Account Name: JohnS Additional Information: Caller Computer Name: JohnS-PC It affects only certain workstations on the domain, and we cannot pinpoint what is actually causing this behavior. We started noticing it last week - on the day we have added New routable UPN Suffix to all domain users. We have no idea if this is the cause or just a coincidence - we've seen this happening before, but it was usually caused by phones or persistent network connections, not workstations. Any ideas how to tracked down a problem? Spice (4) Reply (13) flagReport SimonL sonora NEW PHISHING BENCHMARKS FOR YOUR ORGANIZATION 2023 Sep 20 @ 6:00 AM Webinar Webinar: New Phishing Benchmarks for Your Organization 2023 Event Details Opens a new window View all events 13 REPLIES * Rambling Biped datil Mar 17th, 2015 at 8:53 AM Could someone have scripted something like a manual persistent drive mount on startup and specified credentials with an expired password? Spice (3) flagReport Was this post helpful? thumb_up thumb_down * Gary D Williams This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. pure capsaicin Mar 17th, 2015 at 8:54 AM You've got the computer name so it's a matter of looking at that computer for any services that are using accounts that they shouldn't be. Also check for any scheduled tasks and any scripts that have credentials in them. Drives mapped under user credentials could also cause this. Spice (2) flagReport Was this post helpful? thumb_up thumb_down * mynameisjona thai pepper Mar 17th, 2015 at 8:54 AM Have you tried clearing out any cached credentials on that PC? Spice (1) flagReport Was this post helpful? thumb_up thumb_down * ChrisOU812 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. cayenne Mar 17th, 2015 at 8:57 AM Do you know who the JohnS account belongs to? Has someone changed their password and not logged off and back on to their device? I have seen issues where an AD account password was changed but the user's Outlook account was trying to authenticate, causing this behavior. Once the user logged off the device and logged back in the issue was resolved. Are there any scheduled tasks or services running with this account used for authentication? Also, what is the Login Type: (if any, this is usually a number 3 for internal and I think 10 is ususally a remote login) http://www.windowsecurity.com/articles-tutorials/misc_network_security/Logon-Types.html Opens a new window *Also, the cached creds. that mynameisjona mentioned, is a good one to look at as well. *Sorry if I repeated what others posted --- I didn't see the replies when I started. Spice (1) flagReport Was this post helpful? thumb_up thumb_down * AshB13 serrano Mar 17th, 2015 at 9:02 AM Some more tips here http://community.spiceworks.com/how_to/3647-what-to-do-if-an-account-keeps-locking-out flagReport Was this post helpful? thumb_up thumb_down * zuphzuph habanero Mar 17th, 2015 at 9:26 AM I'd look at scripts, services (run as...) and any other .ini that may contain the users creds. flagReport Was this post helpful? thumb_up thumb_down * OP SimonL sonora Mar 17th, 2015 at 9:33 AM We have suspected that it may be old mapping or scheduled tasks, but one of the affected users does not have any mapped drives,running scripts or scheduled tasks - basically, she is using only Outlook / PPoint / Excel and nothing else, so we do not think is is an issue. I've noticed and removed some cached credentials - will let you know tomorrow if it worked (Thanks for the tip). If not, I'll try check all the services to see what credential they are using. On affected computers we can also see Events 4771: Kerberos pre-authentication failed. Wonder if disabling Kerberos pre-authentication in account settings would solve the problem. Anyway, thanks for all tips - so far we've cleared some cached credentials and will see if this fixes the issue - will let you know tomorrow. flagReport Was this post helpful? thumb_up thumb_down * mynameisjona thai pepper Mar 17th, 2015 at 9:59 AM Actually...... Is there any custom service that was set to use the user as the login account? flagReport Was this post helpful? thumb_up thumb_down * OP SimonL sonora Mar 18th, 2015 at 8:50 AM Removing cached credentials fixed problem in few instances, but not all of them. Checked carefully services, scheduled tasks, mapped drives and so on - everything seems to be OK. Some scheduled tasks are running under user network credentials, but there are no custom ones. We have notice couple other events that may be interconnected: Event ID : 4634 An account was logged off. Subject: Security ID: S-1-5-21-2030126595-979527223-1756834886-4710 Account Name: JohnS Account Domain: NT_DOMAIN Logon ID: 0x2bc95a7 Logon Type: 3 and Event ID : 4771 Kerberos pre-authentication failed. Account Information: Security ID: S-1-5-21-2030126595-979527223-1756834886-4710 Account Name: JohnS Service Information: Service Name: krbtgt/DOMAIN-INTERNAL.COM Network Information: Client Address: ::ffff:10.0.4.x Client Port: 65477 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x12 Pre-Authentication Type: 0 flagReport Was this post helpful? thumb_up thumb_down * ChrisOU812 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. cayenne Mar 19th, 2015 at 10:47 AM Do you mean scheduled tasks running as a specific user or the any logged on user? Doesn't matter if the tasks are custom or not, I would disable the tasks associated with a user's id temporarily just to see if the authentication failures stopped. Is the account still getting locked out? You might also verify that the user profile isn't corrupt and logging on as temp. flagReport Was this post helpful? thumb_up thumb_down * * OP SimonL sonora Mar 24th, 2015 at 4:41 AM Turned out it was outlook - as I said we've added new routable UPN suffix (the old one was not routable and we need routable one to implement AD federation for Office 365 later this year). Anyway, we do not host Exchange, but rely on 3rd party provider. Some of our older AD user accounts were not synced with exchange, and when we added new UPN suffix outlook got confused which account to use (domain or exchange). So basically syncing exchange and domain accounts fixed the problem. flagReport 0 of 1 found this helpful thumb_up thumb_down * blueshore jalapeno Aug 21st, 2015 at 7:46 AM I got a similar situation and took me a while to solve it. Turns out that was a machine with a similar hostname that had stale credentials on the Credential Manager and was trying to get access to the network printers. Lesson here: 10Ol IO0I0OI Be aware of one (1), zero (0), Letter "i" (I), Letter "L" (l), and Letter "o" (O). flagReport Was this post helpful? thumb_up thumb_down * Z77 This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. chipotle Mar 9th, 2017 at 9:07 AM Have same issue for two users in a domain environment. We were seeing 2 user accounts getting locked daily, with over 50 failed authentications every 10 minutes. One PC used to be a shared PC with multiple Outlook profiles, and Credential Manager had old/bad credentials stored for multiple accounts. First, I removed all Outlook creds and re-entered the proper info on program launch. This didn't work to fix the problem. I also found multiple Scheduled Tasks for a program that was uninstalled years ago, with saved (expired) AD Credentials. This also didn't work to fix the problem. I've also checked network scanners (SMB shares), system services running as the user, or anything else that might have been using the user's credentials without success. The issue for me ended up being a bot trying to brute force these two PCs directly- they had non-standard RDP ports opened at 3390 and 3391. The bot was smart enough to port scan by protocol and even if I re-changed the RDP ports, they'd still be hit. We decided to close all RDP ports and install the SonicWALL Global VPN client for our remote users and stick with the tried and true secure connection methods we know. Spice (1) flagReport Was this post helpful? thumb_up thumb_down lock This topic has been locked by an administrator and is no longer open for commenting. To continue this discussion, please ask a new question. READ THESE NEXT... * SNAP! -- CALLISTO, STRANGE SCIENCE, GLASS CHIPS, DELETE ACT, LOST F-35 JET Spiceworks Originals Your daily dose of tech news, in brief. Welcome to the Snap! Flashback: September 18, 1989: NeXTSTEP OS Released (Read more HERE.) Bonus Flashback: Sept. 18, 1977: Voyager 1 takes first photo of Earth-moon system (Read more HERE.) You ... * * SPARK! PRO SERIES - 18TH SEPTEMBER 2023 Spiceworks Originals Here we are again, back to another week at the coalface. I have just returned from a week’s vacation and am less enthused about the week ahead than I probably should be but there we are. Hopefully I can weave a litt... * I NEED SOME ADVICE. Best Practices & General IT Now I am an IT Technician in a medium business/office and just starting up our product, and I have all the responsibilities in the company's IT department. So I have the responsibility of looking for the best and better mechanisms for our IT departmen... * NERD JOURNEY #232 - PERCEPTIONS OF PARENTAL PRIORITIES, PRESSURE, AND PROFESSION Best Practices & General IT If your kids could ask anything they wanted about your job and career, what do you think they would ask? It's a fun experiment to try sometime I can tell you that. After having a special guest in this episode ask my co-host and me career questions, we t... * WHAT IS YOUR FAVORITE VINTAGE TECH? Spiceworks Antiques are typically, according to various customs and laws, at least 100 years old Opens a new window. The word vintage is a lot more flexible, which it really needs to be when we're talking about technology. Something "old" in tech terms could be ju... * About * Contact * Support * Press / Media * Careers * SpiceWorld * Blog * * * * * * Sitemap * Privacy Policy * Terms of Use * Guidelines * Accessibility Statement * Do Not Sell My Personal Information * © Copyright 2006 - 2023 Spiceworks Inc.