Hey everyone! I'm dealing with a frustrating issue here. We have a service running on one of our servers that keeps locking out a specific Active Directory account. The weird part is that this account hasn't logged into the server for over four years and it has no connection to this service at all. I've tried uninstalling the service, rebooting, and reinstalling it, but the lockouts keep happening. Whenever I disable the service, the account remains unlocked. I really need help on how to resolve this issue! I examined the logs, and here's what's showing up:
- **Account For Which Logon Failed:**
- Security ID: NULL SID
- Account Name: AV117207
- Account Domain: INTDOM
- **Failure Information:**
- Failure Reason: Unknown user name or bad password.
- Status: 0xC000006D
- Sub Status: 0xC000006A
- **Process Information:**
- Caller Process ID: 0x370
- Caller Process Name: C:WindowsSystem32lsass.exe
1 Answer
Make sure to check the event 4625 logs on your domain controller. They can provide insight into the logon attempts and tell you where the requests are coming from. Even if the failed logon is happening on your server, the AD logs can give you details about the calling computer, which could help narrow things down. You might find errors captured there that could lead to a resolution!
I wish I had access to the DC myself, but I have to lean on someone else for that info. I found a record of the 4625 errors sent to Splunk, and here's a snippet: it shows the failure reason as "Unknown user name or bad password" along with the process name that triggered it. Let me know what you think!