This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(80, 97%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ELB%3C/text%3E%3C/svg%3E)
I've got many user's lockout my limit is 20 bad password As you can see in the picture the event 4776 is present many times in the same minute it can't be an user attempt. Netlogon log are registering the pid but it is not possible catch it in the destination computer , the process associated is gone after the bad password event. Moreover on the client machine there is not in security event the error replicated i've done the same conclusions of Mr. Joe Alves here https://social.technet.microsoft.com/Forums/en-US/64c744f7-265c-46d4-a59e-35bafc17e3fd/kerberos-preauth-lockouts?forum=winserversecurity But I don't understand what it means whe he says "To fix it I created a normal domain account and used that on both servers." there is a particular procedure to follow? my accounts are all created with Active Direcry User and Computer ... Thank you Luca ![79631-image.png][1] [1]: /api/attachments/79631-image.png?platform=QnA
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 96%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EFF%3C/text%3E%3C/svg%3E)
Hi,
Any events logged on the source computer?
If not ,i would suggest you enable the audit policy on the source workstation as following:
If there are any progress, welcome to share here!
Best Regards,
The events of the guest machine during the lockout are clear (picture 1.png)
The events on the server are reporting all the failed attempts (2.png) in this case 7 in 5 seconds
With lockoutstatus I've noticed that the user count comes from 0 to 1 attempt browsing network folders but go to 11 when opening an empty word document
Can be KMS related?
Not sure about the reason.
More logs and information need to be collected.
Due to the security reason ,I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business
Best Regards,
Further investigations drives me to a network problem maybe related to ADFS
All my shared mapped drives are done with ADFS 6 (Windows 2019) when the monitored user try to open a network share the lockoutstatus count goes up sometimes with 2 other with 4 or 6 0xC000006A
The real weird thing is that in the netlogon log the pid mentioned
[LOGON] [3424] : SamLogon: Network logon of user from PC Entered
03/24 08:14:23 [LOGON] [3424] : SamLogon: Network logon of user from PC Returns 0xC000006A
will never appear in Procmon
i've started monitoring with this program the target machine but in 5 milion events the PID 3424 is missinig
so on with other PID'S ant other attempts
Hi,
If you have any updates ,welcome to share here!
Best Regards,
In NETLOGON log is shown the Thread not the PID
03/24 14:32:15 [LOGON] [9880] SamLogon: Network logon of user from PC Entered
03/24 14:32:15 [LOGON] [9880] SamLogon: Network logon of user from PCP Returns 0xC000006A
The PID is shown in the windows security events file of the pdc
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2021-03-24T13:32:26.441369800Z" />
<EventRecordID>81355893</EventRecordID>
<Correlation />
<Execution ProcessID="652" ThreadID="9880" />
<Channel>Security</Channel>
<Computer>serverzacmi1.zacmi.lan</Computer>
so the process incriminated is lssas.exe but what is wrong?
If you want professional help for the log analysis ,
I would suggest you contact Microsoft Customer Services and Support to get an efficient solution:
https://support.microsoft.com/en-in/hub/4343728/support-for-business
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 33%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERB%3C/text%3E%3C/svg%3E)
Hello Luca,
Similar kind of problem we have faced recently with 5 active directory domain users. my lockout attempt limited to 5 times. And this becomes very frequent when this work-from-home situation started.
This might be due to multiple reasons I guess. Here is the step-by-step how I resolved it.
Domain controller > Event logs > Filter > 4740 (account lockout ) - (domain username)
Here you can get "Caller Computer Name"
:(The name of the computer account (e.g. Client34 ) from which the login attempt was generated)
Goto > Client34 System > Check if there are any network mapped drives and disconnect them.
The reason why we need to disconnect network mapped drives is when you first time saved the mapped drive you save the credentials so it won't ask the password even when you restarted the system. Consider you changed the domain user password and this mapped drive still tries to connect the network mapped drive with the same old password, after it attempted multiple times the account will be locked out.
2.Also check, you not logging into a temporary domain profile and make sure you logged into the system with an updated domain user password.
3.If you are using SSO, for domain and Outlook, Remove the saved credentials from the credentials manager and check.
Wishing you very good luck.
Regards,
Ram
Yes I think that this is the right way to go.
I can confirm that all the users have a laptop and a password policy
All the usere have changed their password
Our password policy is set to 20 attempts , microsoft suggest at least 10
https://learn.microsoft.com/it-it/windows/security/threat-protection/security-policy-settings/account-lockout-threshold
My further surveys has driven me to this article
https://learn.microsoft.com/it-it/windows/security/threat-protection/security-policy-settings/network-access-do-not-allow-storage-of-passwords-and-credentials-for-network-authentication
If I do that in domain's computer GPO the issue seems to disappear in all affectec machines
But there is an horrible side effect , if you do that in this way , it comes impossible to map drive with other creds because the Windows Credential are disabled!
https://forum.cristie.com/t/system-error-1312-a-specified-logon-session-does-not-exist/618
My first tests are showing 0 blocks 4740 but some 4776