# Constant lock out events but account still logs in



## asgt (Jan 23, 2007)

Hi

This problem is getting me very confused, I hope you can help! First the event logs:

My "main" domain controller (the one in the Head Office which also holds all the FSMO roles) is generating a lot of Event ID: 680 events in the Security Log. All are for the same user account - Master and the Source Workstation is set to Master as well (there is no workstation or server on the domain with that name). The logon attempt is showing as "Microsoft_authentication_package_v1_0" which I'm not familiar with.

There are also several "Pre-authentication failed" errors with Event ID of 675 for my username (not the master account). The client address on these events is the IP address of my PC but there is nothing obvious trigging them from my PC.

If that wasn't enough, the Master user account and DC are also generating many 644 events showing the user as locked out. The account name is listed as Master, as is the "Caller Machine Name". The "Caller user name" is showing as DCNAME$ as if to indicate a share on the DC.


So, as well as the event logs, there are some other strange symptoms. The account locks itself out and unlocks itself appearingly at random (group policy is set so that once an account is locked out, it stays locked out until an admin unlocks it). When looking at the account with lockoutstatus.exe the "Bad Pwd Count" varies between 0, 33 and 66. The "Orig Lock" is always the name of the main DC. Refreshing the lockoutstatus screen can show wildy different results (locked out/not locked out/bad pwd count/lockout time) in very short time gaps.


As far as I know, the only thing to be installed on the effected DC this week is an updated version of Sophos AV and there don't seem to be any processes or services running under that account.

I think the master account is a renamed administrator account (probably the default domain one) but I'm not 100% as the domain was created long before I joined the company by people who have long since left.

The other 30 odd Domain Controllers are not showing these errors. All DCs are Win2003


I've been working on finding the source of this for a couple of days now so any ideas on what could be causing this or what to check would be gratefully received!

Cheers

Andy


----------



## asgt (Jan 23, 2007)

Meant to add, even when the account is locked out, you can still use it to log into the main DC via RDP

Cheers


----------



## Rockn (Jul 29, 2001)

Possible serice accounts set up under your account or the other users account? Maybe the renamed admin account is trying to be used as a service account and it is failing due to it being renamed.


----------

