I had to track down an almost identical situation. My own domain admin account was continously locking up throughout the day, and it wasn't as simple as a disconnected RDP session or service running under my credentials. Combing the event logs didn't help because all that was logged were failed pre-authentication attempts that didn't list the source machine.
I ended up enabling debug logging for the netlogon service on one my DCs (run "nltest /dbflag:0x2080ffff"). I then came across entries indicating "Transitive network logon of <account name> from (via <client name>)...". This basically meant the identified client was attempting to pass my credentials from another source. While it didn't point me to the source of the issue, knowing which client was passing my credentials allowed me to think back to what I might have worked on that would have involved this particular client. In this case, the client was our SCOM SQL Server. I had deployed Vmware Operations Manager a few weeks back and we had setup a temporary custom adapter, using my credentials, within the vCOPs custom UI to pull data from our SCOM database and build custom dashboards. I modified the credentials being used and the lockouts ceased. - Sean On Tue, Sep 10, 2013 at 6:53 AM, Webster <webs...@carlwebster.com> wrote: > I faced the same issue last week. We were unable to determine the cause > of the mysterious attempts to lockout the domain admin administrator > account. There were no services or scheduled tasks that used that account > and even using “rundll32 keymgr.dll,KRShowKeyMgr” showed no cached > credentials on any of the computers.**** > > ** ** > > The DC’s security event logs are being flooded with 0x12 and 0x18 errors > for eventids 675 and 680.**** > > ** ** > > I am interested in also seeing what the lists suggests for tracking this > down.**** > > ** ** > > Thanks**** > > ** ** > > ** ** > > Webster**** > > ** ** > > *From:* listsad...@lists.myitforum.com [mailto: > listsad...@lists.myitforum.com] *On Behalf Of *David McSpadden > *Sent:* Tuesday, September 10, 2013 9:25 AM > *To:* ntsysadm@lists.myitforum.com > > *Subject:* [NTSysADM] Logon sniffing tool**** > > ** ** > > My machine is trying and failing to log into the domain about every 6 > minutes.**** > > What tool can I use to find the process, service, or program that is > attempting to log in with a bad password?**** > > Windows 8 64 bit failing with a 2008 AD.**** > > Event id 675 code 0x18**** > > ** ** > > ** ** > > *Thank you* > > * * > > *David W. McSpadden* > > * * > > *B*egin Planning**** > > *A*rrange for Reconnaissance and Coordination**** > > *M*ake Reconnaissance**** > > *C*omplete Plan**** > > *I*ssue Order**** > > *S*upervise**** > > ** ** > > This e-mail and any files transmitted with it are property of Indiana > Members Credit Union, are confidential, and are intended solely for the use > of the individual or entity to whom this e-mail is addressed. If you are > not one of the named recipient(s) or otherwise have reason to believe that > you have received this message in error, please notify the sender and > delete this message immediately from your computer. Any other use, > retention, dissemination, forwarding, printing, or copying of this email is > strictly prohibited.**** > > ** ** > > Please consider the environment before printing this email.**** >
