Its a domain admin account , I see that it gets locked out on a DC in a different state. But in the even viewer I don't see what it locking it our. There is no IP address that gets referenced in the actual event log within the security section of windows logs. I am worried its maybe a service that was configured somewhere or mapped drive on a machine somewhere. I used lockoutstatus.exe a microsoft tool to show me which DC is reporting the error. Anyone have any tips on tracking down the siource of this. Here is the event viewer entry Log Name: Security Source: Microsoft-Windows-Security-Auditing Date: 1/11/2012 10:22:59 AM Event ID: 4771 Task Category: Kerberos Authentication Service Level: Information Keywords: Audit Failure User: N/A Computer: DC1 Description: Kerberos pre-authentication failed. Account Information: Security ID: TRADITION\Domain Account Account Name: Domain Account Service Information: Service Name: krbtgt/Domain.int Network Information: Client Address: ::ffff:10.64.8.29 Client Port: 60281 Additional Information: Ticket Options: 0x40810010 Failure Code: 0x18 Pre-Authentication Type: 2 Certificate Information: Certificate Issuer Name: Certificate Serial Number: Certificate Thumbprint: Certificate information is only provided if a certificate was used for pre-authentication. Pre-authentication types, ticket options and failure codes are defined in RFC 4120. If the ticket was malformed or damaged during transit and could not be decrypted, then many fields in this event might not be present. Event Xml: <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" /> <EventID>4771</EventID> <Version>0</Version> <Level>0</Level> <Task>14339</Task> <Opcode>0</Opcode> <Keywords>0x8010000000000000</Keywords> <TimeCreated SystemTime="2012-01-11T15:22:59.396Z" /> <EventRecordID>173254700</EventRecordID> <Correlation /> <Execution ProcessID="644" ThreadID="340248" /> <Channel>Security</Channel> <Computer>DC1</Computer> <Security /> </System> <EventData> <Data Name="TargetUserName">Admin Account</Data> <Data Name="TargetSid">S-1-5-21-515598468-4146697917-431630276-12243</Data> <Data Name="ServiceName">krbtgt/Company Name</Data> <Data Name="TicketOptions">0x40810010</Data> <Data Name="Status">0x18</Data> <Data Name="PreAuthType">2</Data> <Data Name="IpAddress">::ffff:10.64.8.29</Data> <Data Name="IpPort">60281</Data> <Data Name="CertIssuerName"> </Data> <Data Name="CertSerialNumber"> </Data> <Data Name="CertThumbprint"> </Data> </EventData> </Event>

Failure Code:0x18: Pre-authentication information was invalid > Usually means bad password Generally, this occurs when something is mapped with an account and password. This can be something as simple as a mapped drive, cached password in a scheduled task or service. Check the below link to troubleshoot Account lockout issue ---------------- and also try Netwrix tool to find out account lockout: http://www.netwrix.com/account_lockout_troubleshooting.html and also Troubleshooting Account Lockouts on http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx -------------- Enable debug logging for the Net Logon service.start at the PDC fsmo, which will tell what DC and that DC will tell what server/client and then search the client/server for batch scripts, scheduled tasks, services or anything else that uses an account in the domain. Refer to this KB: http://support.microsoft.com/?id=109626 Hope it helps..Gopi Kiran |Facebook| This posting is provided AS IS with no warranties,and confers no rights.