User Account keeps locked out
There are many reasons that make domain users locked out and we can list some of those reasons and how can we resolve it
A. Cashed password used by any application or saved manually by user
The above scenario may be case an account to be locked out after changing user password because the application try to use and authenticate using the old password to resolve this issue please follow the below steps to remove all saved passwords
1. Point start and open run
2. In the open filed type (rundll32.exe keymgr.dll, KRShowKeyMgr) and press enter
3. A new GUI named stored user Names and passwords will appear
4. You can use this interface to remove or edit all cashed passwords (remove all of them because this kind of cashed passwords not recommended it may be used against you if anyone have a physical access to this machine
5. After that rest the user password and use the new one
B. Kind of dictionary attack may cause the user account to be locked out
To determine which machine is the root cause of this kind of dictionary attack you need to enable debug logging for Net Logon Service that will help
1. Open run type CMD and press enter
2. In the command line window type nltest /dbflag:0x20000004 and press enter to enable the logging debug http://support.microsoft.com/default.aspx?scid=kb;en-us;109626
3. Rested the net logon service after that you will find netlogon.log under %systemdrive%\debug
4. Open that log file and observe the information available in that log file
5. Please refer to that table that describe every code number http://technet.microsoft.com/en-us/library/cc776964(WS.10).aspx
0x0 Successful login
0xC0000064 The specified user does not exist
0xC000006A The value provided as the current password is not correct
0xC000006C Password policy not met
0xC000006D The attempted logon is invalid due to a bad user name
0xC000006E User account restriction has prevented successful login
0xC000006F The user account has time restrictions and may not be logged onto at this time
0xC0000070 The user is restricted and may not log on from the source workstation
0xC0000071 The user account's password has expired
0xC0000072 The user account is currently disabled
0xC000009A Insufficient system resources
0xC0000193 The user's account has expired
0xC0000224 User must change his password before he logs on the first time
0xC0000234 The user account has been automatically locked
6. The last code 0xC0000234 will lead you to the source of that attack
7. After that please scan this machine with update AV to clean that kind of attacks
8. You can disable the logging debug by typing ( nltest /dbflag:0x0) on the command line and then restart the net logon service
At the end you can find a very useful toll provided by Microsoft used to troubleshoot account lockouts
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
