Tracking account lockout: Caller Machine Name blank - Windows NT

This is a discussion on Tracking account lockout: Caller Machine Name blank - Windows NT ; Hi, I've been trying to track down an NT account lockout for some time now. I've been using Microsoft's Account Lockout Tools to check the logs on our Domain Controllers and this is what I get: 644,AUDIT SUCCESS,Security,Mon Jan 05 ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Tracking account lockout: Caller Machine Name blank

  1. Tracking account lockout: Caller Machine Name blank

    Hi, I've been trying to track down an NT account lockout for some time
    now. I've been using Microsoft's Account Lockout Tools to check the
    logs on our Domain Controllers and this is what I get:

    644,AUDIT SUCCESS,Security,Mon Jan 05 10:34:37 2004,\Everyone,User
    Account Locked Out:
    Target Account Name: firstname.lastname
    Target Account ID: %{S-1-5-21-1838296726-1315701342-1233803906-14800}
    Caller Machine Name:
    Caller User Name: PDC$
    Caller Domain: COMPANY
    Caller Logon ID: (0x0,0x3E7)

    I've changed a few names for privacy, but as you can see the Caller
    Machine Name is blank. Is there a way to track the account lockouts
    with out turning on Kerberos logging or making any changes to the
    Domain Controllers? I'm fairly confident that it's not a workstation
    causing the lockouts and I don't recall any services running under the
    account on any servers.

    Help!
    Thanks

  2. Re: Tracking account lockout: Caller Machine Name blank

    paul.schwartzkopf@zipatoni.com (Paul) wrote in message news:...
    > Hi, I've been trying to track down an NT account lockout for some time
    > now. I've been using Microsoft's Account Lockout Tools to check the
    > logs on our Domain Controllers and this is what I get:
    >
    > 644,AUDIT SUCCESS,Security,Mon Jan 05 10:34:37 2004,\Everyone,User
    > Account Locked Out:
    > Target Account Name: firstname.lastname
    > Target Account ID: %{S-1-5-21-1838296726-1315701342-1233803906-14800}
    > Caller Machine Name:
    > Caller User Name: PDC$
    > Caller Domain: COMPANY
    > Caller Logon ID: (0x0,0x3E7)
    >
    > I've changed a few names for privacy, but as you can see the Caller
    > Machine Name is blank. Is there a way to track the account lockouts
    > with out turning on Kerberos logging or making any changes to the
    > Domain Controllers? I'm fairly confident that it's not a workstation
    > causing the lockouts and I don't recall any services running under the
    > account on any servers.
    >
    > Help!
    > Thanks




    OK, looking at my own messages tipped me off to something. The blank
    Caller Machine Name pointed me in the direction of either something
    with the AD account itself or that the logins were coming from a
    machine who's name couldn't be determined. That led me to an OS X box
    that had the account bound to Active Directory. I turned the box off
    and the lockouts continued, so it wasn't the machine itself, so I
    looked to the binding. Not sure if there was some problem with the
    binding process, but after I unbound the account the lockouts have
    stopped. It did something "not good" to the AD account. Others in
    the company are bound and doing fine.

+ Reply to Thread