Score:0

AD keeps locking my account every 5 minutes, but without reason?

cn flag

I know there are many threads who are similar like mine, but may I'm to stupid to get all these informations.

My problem is I changed my password and since them i get locked every ~5 minutes, I don't have any scripts who uses my creds, and also no known service who will use this.

Our PDC DC is DC02 and this is from his netlogon.log:

07/21 07:42:13 [LOGON] [5932] DOMAIN: SamLogon: Network logon of DOMAIN\MYUSERNAME from MYLAPTOP Entered
07/21 07:42:13 [LOGON] [5932] DOMAIN: SamLogon: Network logon of DOMAIN\MYUSERNAME from MYLAPTOP Returns 0x0

and if i'm locked I see this in the log:

07/21 07:46:59 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Entered
07/21 07:46:59 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Returns 0xC0000234
07/21 07:46:59 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Entered
07/21 07:46:59 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Returns 0xC0000234
07/21 07:47:00 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Entered
07/21 07:47:00 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Returns 0xC0000234
07/21 07:47:00 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Entered
07/21 07:47:00 [LOGON] [7244] DOMAIN: SamLogon: Transitive Network logon of DOMAIN\MYUSERNAME from MYLAPTOP (via DC05) Returns 0xC0000234

Event ID 4740 from Event Viewer: enter image description here It seems like something blocked to protocol this Event ID, 'cause I get no events.

Is there some way I can trace the programs on my latop who can cause this or any log who logs if a program uses wrong creds?

I also tried it with ALockout.dll but this won't create a file in C:\Windows\debug\

My Network Drives, this are the only one I have, and these mapped by our Domain: enter image description here

Also I did this yesterday:

enter image description here

I reinstalled Office and MS Teams, I clean the credentials manager where I saw my username and I run sfc /scannow also I rebooted sometimes yesterday.

Also I use Netwrix Account Lockout Examiner Console to unlock me, but it looks wired to me, 'cause my Bad Pwd Count is 0: enter image description here

Drifter104 avatar
ca flag
Have a look at scheduled tasks and services that use your credentials.
lucki1000 avatar
cn flag
I forgot my work laptop, but tomorrow, I'll update my post with all the things I already disabled @Drifter104
br flag
Don’t forget mapped network drives where you explicitly entered your credentials.
lucki1000 avatar
cn flag
post are updated
LeeM avatar
cn flag
Just realised that poorly formatted list of events included events coming from your own computer. You need to check **4740** events on the DCs to ensure it's not being triggered from somewhere else. If you have multiple DCs, you can find the last one that had a bad logon attempt (before it locks) with this (requires AD powershell module): `$u = (get-aduser "USERNAME").distinguishedName; (Get-ADReplicationAttributeMetadata $u -Server (Get-ADDomainController).hostname | where attributename -eq lockouttime) | ft server,LastOriginatingChangeTime -auto`
lucki1000 avatar
cn flag
@LeeM I updated my post with a picture of the events who I get if i filter on our PDC DC for event 4740
bjoster avatar
cn flag
Check the Windows Credential Manager (klassic Control Panel). Maybe the 'save credentials' box was ticked on some old connection (s).
ca flag
Did you log out of your active session and login with the new credentials?
Score:0
us flag

Event ID 4740 is generated on the Domain Controller with the PDC FSMO role when an account is locked out.

If your PDC is not generating these events, then ensure the "Audit Account Lockout" policy is enabled with both Success and Failures.

You can find the policy here:

Computer Configuration > Policies > Windows Settings > Security Settings > Advanced Audit Policy > Logon/Logoff

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.