SCCM Admin account constant lock out every few minutes

Question

10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:10 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:14 [MAILSLOT] [15752] Received ping from SCCM-SERVER(SCCM-SERVER) WVI20. (null) on UDP LDAP
10/11 22:02:14 [MISC] [15752] WVI20: Pack NextClosestSiteName into message 0
10/11 22:02:14 [MAILSLOT] [15752] WVI20: Ping response 'Sam Logon Response Ex' (null) to \SCCM-SERVER Site: DDMAIN on UDP LDAP
10/11 22:02:15 [MAILSLOT] [18460] Received ping from SCCM-SERVER(SCCM-SERVER) WVI20. (null) on UDP LDAP
10/11 22:02:15 [MISC] [18460] WVI20: Pack NextClosestSiteName into message 0
10/11 22:02:15 [MAILSLOT] [18460] WVI20: Ping response 'Sam Logon Response Ex' (null) to \SCCM-SERVER Site: DDMAIN on UDP LDAP
10/11 22:02:15 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:15 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:15 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:15 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:15 [MAILSLOT] [18460] Received ping from SCCM-SERVER(SCCM-SERVER) WVI20. (null) on UDP LDAP
10/11 22:02:15 [MISC] [18460] WVI20: Pack NextClosestSiteName into message 0
10/11 22:02:15 [MAILSLOT] [18460] WVI20: Ping response 'Sam Logon Response Ex' (null) to \SCCM-SERVER Site: DDMAIN on UDP LDAP
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\NAC-USER from JCIFS0_175_44 (via ARCGIS) Entered
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\NAC-USER from JCIFS0_175_44 (via ARCGIS) Returns 0x0
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:15 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:16 [MAILSLOT] [15752] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [15752] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [MAILSLOT] [15752] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [15752] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [MAILSLOT] [15752] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [15752] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [MAILSLOT] [15752] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [15752] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] Received ping from (null)((null)) (null) (null) on UDP LDAP
10/11 22:02:16 [MAILSLOT] [18460] WVI20: Ping response 'Sam Logon Response Ex' (null) to (null) Site: DWEPLANT on UDP LDAP
10/11 22:02:16 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:16 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:16 [LOGON] [11040] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:16 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0
10/11 22:02:16 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Entered
10/11 22:02:16 [LOGON] [7732] WVI20: SamLogon: Transitive Network logon of WVI20\SCCM-SERVER$ from SCCM-SERVER (via SCCM-SERVER-SQL) Returns 0x0

Answer 1

Hi,
Thanks for posting here!
Before going further, would you please confirm the following questions to narrow down the issue.

Usually, for troubleshooting account lockout issue, we should follow the general troubleshooting steps below. For your reference :
Is the account a domain account?
If yes , refer to the following steps for troubleshooting:

1. Enable audit policies for each DC then gather audit event from PDC. Check the vent 4740. If no account lockout event logged
we need configure the audit policy on all DCs under [Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit account management] 
2. According to the audit events on PDC determine which clients or DCs sent the failed authentication request. If the failed authentication request was sent by a DC, then we should gather the audit event on the DC. So we can find out which clients sent the BAD password.
3.  After we get the workstations IP, then we need enable Audit Logon Events – Failure and Audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD password. Normally ,Event 4625 will log the process which cause the lockout.
Note: we need increase security log size before we enable audit. It will overwrite previous log when the security log size is so small.

Fan

Answer 2

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2020 6:27:25 PM
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: dc1domain.com
Description:
A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DC1$
Account Domain: DOMAIN.COM
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: DOMAIN.COM\sccm_admin
Account Name: sccm_admin

Additional Information:
Caller Computer Name: sccm-server
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-10-17T22:27:25.990909200Z" />
<EventRecordID>240465876</EventRecordID>
<Correlation />
<Execution ProcessID="700" ThreadID="15788" />
<Channel>Security</Channel>
<Computer>dc1domain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">sccm_admin</Data>
<Data Name="TargetDomainName">sccm-server</Data>
<Data Name="TargetSid">S-1-5-21-322582796-119656006-1590880864-61635</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC1$</Data>
<Data Name="SubjectDomainName">DOMAIN.COM</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2020 6:27:25 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: dc1domain.com
Description:
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: sccm_admin
Source Workstation: sccm-server
Error Code: 0xC000006A
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2020-10-17T22:27:25.924094800Z" />
<EventRecordID>240465875</EventRecordID>
<Correlation />
<Execution ProcessID="700" ThreadID="15788" />
<Channel>Security</Channel>
<Computer>dc1domain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
<Data Name="TargetUserName">sccm_admin</Data>
<Data Name="Workstation">sccm-server</Data>
<Data Name="Status">0xc000006a</Data>
</EventData>
</Event>

Answer 3

Answer 4

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2020 6:27:25 PM
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: dc1domain.com
Description:
A user account was locked out.

Subject:
Security ID: SYSTEM
Account Name: DC1$
Account Domain: DOMAIN.COM
Logon ID: 0x3E7

Account That Was Locked Out:
Security ID: DOMAIN.COM\sccm_admin
Account Name: sccm_admin

Additional Information:
Caller Computer Name: sccm-server
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4740</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>13824</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2020-10-17T22:27:25.990909200Z" />
<EventRecordID>240465876</EventRecordID>
<Correlation />
<Execution ProcessID="700" ThreadID="15788" />
<Channel>Security</Channel>
<Computer>dc1domain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="TargetUserName">sccm_admin</Data>
<Data Name="TargetDomainName">sccm-server</Data>
<Data Name="TargetSid">S-1-5-21-322582796-119656006-1590880864-61635</Data>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">DC1$</Data>
<Data Name="SubjectDomainName">DOMAIN.COM</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
</EventData>
</Event>

Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 10/17/2020 6:27:25 PM
Event ID: 4776
Task Category: Credential Validation
Level: Information
Keywords: Audit Failure
User: N/A
Computer: dc1domain.com
Description:
The computer attempted to validate the credentials for an account.

Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: sccm_admin
Source Workstation: sccm-server
Error Code: 0xC000006A
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2020-10-17T22:27:25.924094800Z" />
<EventRecordID>240465875</EventRecordID>
<Correlation />
<Execution ProcessID="700" ThreadID="15788" />
<Channel>Security</Channel>
<Computer>dc1domain.com</Computer>
<Security />
</System>
<EventData>
<Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
<Data Name="TargetUserName">sccm_admin</Data>
<Data Name="Workstation">sccm-server</Data>
<Data Name="Status">0xc000006a</Data>
</EventData>
</Event>

Answer 5

Hi,

From the 4740 event , the caller computer is the sccm-server.
Did the Event 4625 was found on the sccm-server?
If not , please enable the Audit Logon Events – Failure and Audit Process Tracking for this client, then analyze the event log to find out which process or apps send the BAD password. Normally ,Event 4625 will log the process which cause the lockout.

Best Regards,