[ActiveDir] Guest account locked out

Thu, 30 Mar 2006 06:52:35 -0800

Our built in guest account gets locked out from time to time, generating 644 events in the DC’s security logs.  I’m trying to determine how it can get locked out because the account is disabled.  If I take a test box and hammer away at the guest account with bogus passwords I never get a lockout message, only “Your account has been disabled….”

 

Our account policy is as such:

Duration: 120m

Threshold: 5 attempts

Reset: 15 minutes

 

If I look at the caller machine, I see the same Event 515 (KSecDD) at the exact time the lockout occurs.  I also see just seconds before, 2 528’s and 2 576’s, Network Service logon/logoff and privilege uses (primary token privilege).  The computer accounts aren’t disabled.  It feels like the client is just renewing its token, but why would that involve the guest account (renamed to netgst).

 

 

Event ID          : 644

Event Importance  : Critical importance event

Date & Time       : 3/30/2006 - 7:37:40 AM

Rule Triggered    : User Account Locked Out - 644 - Outside N.O.T - Medium - Win2k/Win2003 DC

Computer          : AD6

Event Log         : Security

Event Source      : Security

Event Category    : Account Management

Event Type        : Success Audit

S.E.L.M. Event ID : 1143560217_000000004988749

User Name         : NT AUTHORITY\SYSTEM

Operating System  : Windows 2003 Domain Controller

 

User Account Locked Out:

      Target Account Name:    NetGst

      Target Account ID:            %{S-1-5-21-2142909598-1293495619-134157935-501}

      Caller Machine Name:    PP1174

      Caller User Name:       AD6$

      Caller Domain:          TCU

      Caller Logon ID:        (0x0,0x3E7)

More Information:

User account named NetGst (account ID %{S-1-5-21-2142909598-1293495619-134157935-501}) has been locked out by User AD6$ from domain TCU (machine named PP1174).

 

Event Type:       Success Audit

Event Source:    Security

Event Category: System Event

Event ID:           515

Date:                3/30/2006

Time:                7:37:40 AM

User:                NT AUTHORITY\SYSTEM

Computer:         PP1174

Description:

A trusted logon process has registered with the Local Security Authority. This logon process will be trusted to submit logon requests.

 

 Logon Process Name:   KSecDD

 

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

 

 

Bryan Lucas

Server Administrator

Texas Christian University

(817) 257-6971

 

Reply via email to