question

LucaBuratti-6895 avatar image
0 Votes"
LucaBuratti-6895 asked LucaBuratti-6895 answered

User Account Lockout

I've got many user's lockout my limit is 20 bad password As you can see in the picture the event 4776 is present many times in the same minute it can't be an user attempt. Netlogon log are registering the pid but it is not possible catch it in the destination computer , the process associated is gone after the bad password event. Moreover on the client machine there is not in security event the error replicated i've done the same conclusions of Mr. Joe Alves here https://social.technet.microsoft.com/Forums/en-US/64c744f7-265c-46d4-a59e-35bafc17e3fd/kerberos-preauth-lockouts?forum=winserversecurity But I don't understand what it means whe he says "To fix it I created a normal domain account and used that on both servers." there is a particular procedure to follow? my accounts are all created with Active Direcry User and Computer ... Thank you Luca ![79631-image.png][1] [1]: /answers/storage/attachments/79631-image.png

windows-active-directory
image.png (20.9 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

FanFan-MSFT avatar image
0 Votes"
FanFan-MSFT answered LucaBuratti-6895 commented

Hi,

Any events logged on the source computer?
If not ,i would suggest you enable the audit policy on the source workstation as following:
79906-3221.jpg
If there are any progress, welcome to share here!

Best Regards,



3221.jpg (74.8 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

The events of the guest machine during the lockout are clear (picture 1.png)
The events on the server are reporting all the failed attempts (2.png) in this case 7 in 5 seconds


80178-1.png80197-2.png


0 Votes 0 ·
1.png (16.8 KiB)
2.png (29.3 KiB)
LucaBuratti-6895 avatar image
0 Votes"
LucaBuratti-6895 answered FanFan-MSFT commented

With lockoutstatus I've noticed that the user count comes from 0 to 1 attempt browsing network folders but go to 11 when opening an empty word document

Can be KMS related?

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Not sure about the reason.
More logs and information need to be collected.
Due to the security reason ,I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business

Best Regards,

0 Votes 0 ·
LucaBuratti-6895 avatar image
0 Votes"
LucaBuratti-6895 answered FanFan-MSFT commented

Further investigations drives me to a network problem maybe related to ADFS

All my shared mapped drives are done with ADFS 6 (Windows 2019) when the monitored user try to open a network share the lockoutstatus count goes up sometimes with 2 other with 4 or 6 0xC000006A

The real weird thing is that in the netlogon log the pid mentioned

[LOGON] [3424] : SamLogon: Network logon of user from PC Entered
03/24 08:14:23 [LOGON] [3424] : SamLogon: Network logon of user from PC Returns 0xC000006A

will never appear in Procmon

i've started monitoring with this program the target machine but in 5 milion events the PID 3424 is missinig
so on with other PID'S ant other attempts

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi,
If you have any updates ,welcome to share here!
Best Regards,

0 Votes 0 ·
LucaBuratti-6895 avatar image
0 Votes"
LucaBuratti-6895 answered FanFan-MSFT commented

In NETLOGON log is shown the Thread not the PID

03/24 14:32:15 [LOGON] [**9880**] SamLogon: Network logon of user from PC Entered
03/24 14:32:15 [LOGON] [**9880**] SamLogon: Network logon of user from PCP Returns 0xC000006A

The PID is shown in the windows security events file of the pdc
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2021-03-24T13:32:26.441369800Z" />
<EventRecordID>81355893</EventRecordID>
<Correlation />
<Execution ProcessID="652" ThreadID="9880" />
<Channel>Security</Channel>
<Computer>serverzacmi1.zacmi.lan</Computer>

so the process incriminated is lssas.exe but what is wrong?

81203-1.png



1.png (19.3 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

If you want professional help for the log analysis ,
I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business

0 Votes 0 ·
RamanjaneyuluButharaju-8253 avatar image
0 Votes"
RamanjaneyuluButharaju-8253 answered LucaBuratti-6895 commented

Hello Luca,

Similar kind of problem we have faced recently with 5 active directory domain users. my lockout attempt limited to 5 times. And this becomes very frequent when this work-from-home situation started.

This might be due to multiple reasons I guess. Here is the step-by-step how I resolved it.

Domain controller > Event logs > Filter > 4740 (account lockout ) - (domain username)

Here you can get "Caller Computer Name"

:(The name of the computer account (e.g. Client34 ) from which the login attempt was generated)

Goto > Client34 System > Check if there are any network mapped drives and disconnect them.

The reason why we need to disconnect network mapped drives is when you first time saved the mapped drive you save the credentials so it won't ask the password even when you restarted the system. Consider you changed the domain user password and this mapped drive still tries to connect the network mapped drive with the same old password, after it attempted multiple times the account will be locked out.

2.Also check, you not logging into a temporary domain profile and make sure you logged into the system with an updated domain user password.

3.If you are using SSO, for domain and Outlook, Remove the saved credentials from the credentials manager and check.

Wishing you very good luck.


Regards,
Ram





· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Yes I think that this is the right way to go.
I can confirm that all the users have a laptop and a password policy
All the usere have changed their password

Our password policy is set to 20 attempts , microsoft suggest at least 10
https://docs.microsoft.com/it-it/windows/security/threat-protection/security-policy-settings/account-lockout-threshold

My further surveys has driven me to this article
https://docs.microsoft.com/it-it/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication
If I do that in domain's computer GPO the issue seems to disappear in all affectec machines

But there is an horrible side effect , if you do that in this way , it comes impossible to map drive with other creds because the Windows Credential are disabled!
https://forum.cristie.com/t/system-error-1312-a-specified-logon-session-does-not-exist/618

My first tests are showing 0 blocks 4740 but some 4776

0 Votes 0 ·
LucaBuratti-6895 avatar image
0 Votes"
LucaBuratti-6895 answered

So now I'm in a dead end.
If DisableDomainCreds is active the actual credentials are not cashed so it means that if the laptop's user is at home he cannot login to his computer also if CachedLogonsCount is set to 100!



5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.