So this one is puzzling me. Brand new 2003 R2 AD, all XPSP2 workstations. A few user accounts are getting continually locked out with Event 680, error code 0x0000006a (invalid password.)
The usual culprits don't seem to be at fault since there are no services or scheduled tasks running under the credentials that are getting locked out. It also doesn't seem to be workstation-specific, since the account lockouts follow these unlucky few from one workstations to another. Turning up USERENV logging to the "Oh holy schnikes that's going to generate a lot of entries" setting on the PDCe produces entries such as the following: "04/27 14:05:23 [LOGON] <DomainNetBIOSName>: SamLogon: Transitive Network logon of <DomainNetBIOSName>\<User1> from <WorkstationNetBIOSName> (via <MemberServerNetBIOSName>) Returns 0xC000006A" as well as 04/27 14:06:56 [LOGON] <DomainNetBIOSName>: SamLogon: Network logon of <DomainNetBIOSName>\<User2> from <WorkstationsNetBIOSName> Returns 0xC000006A In both cases, the bad password event was generated from the correct workstations while the users were logged on interactively. The only KB I found that was even -close- to relevant (305822) talked about disabling the XP "Welcome Screen", which isn't in use here. This doesn't "feel" like a password attack is going on, but I can't figure out where these errant bad passwords are coming from, or what else is distinguishing these few accounts from their counterparts who aren't experiencing lockout fun. -- ----------------------- Laura E. Hunter Microsoft MVP - Windows Server Networking Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
