getting locked out with SeProfileSingleProcessPrivilege Chrome.exe

Question

Audit Failure 9/5/2024 7:36:22 PM Microsoft Windows security auditing. 4673 Sensitive Privilege Use
I have been getting locked out of my domain account consistently for months. I get locked out of Windows first thing in the morning and throughout the day. I get locked out of SSO accounts, AD, etc. randomly. The above Event I noticed popping up continuously. Any ideas?

***moved from Windows / Windows 11 / Performance and system failures***

Answer 1

Hi MCCarver469,

Thank you for posting in the Microsoft Community Forums.

First of all, please refer to the following steps for account lockout troubleshooting:

1. First of all, you can check and enable the following logon audit on all DCs, so that we can easily check the protocols and client hostnames or IP addresses that failed to authenticate in the future. It is recommended to enable the following audit policy on all domain controllers: GPO: Default Domain Controller Traditional Audit Policies: Computer Configuration\Windows settings Computer Configuration\Windows settings\security settings\local policies\audit policy Audit Account Logon Events - Failure Audit Account Management - Success and Failure Audit Logon Events - Failure Or use the advanced audit policy (advanced audit policy overrides the traditional audit policy by default).

     Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
   
    Logon/Logoff.
   
    Audit Account Lockout - Failure
   
    Audit Logon - Failure
   
    Audit Account Lockout - Failure Audit Logon - Failure
   
    Audit Kerberos Authentication Service - Failure
   
    Audit Credential Validation - Failure
   
    Account Management.
   
    Audit User Account Management - Success and Failure
   
    We can open CMD with administrator privileges on the domain controller and run the following command to force the policy to be refreshed and to check that the relevant audits are turned on.
   
    gpupdate /force
   
    auditpol /get /category:\*
   

First of all, please refer to the following steps for account lockout troubleshooting:

1. First of all, you can check and enable the following logon audit on all DCs, so that we can easily check the protocols and client hostnames or IP addresses that failed to authenticate in the future. It is recommended to enable the following audit policy on all domain controllers: GPO: Default Domain Controller Traditional Audit Policies: Computer Configuration\Windows settings Computer Configuration\Windows settings\security settings\local policies\audit policy Audit Account Logon Events - Failure Audit Account Management - Success and Failure Audit Logon Events - Failure Or use the advanced audit policy (advanced audit policy overrides the traditional audit policy by default).

     Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration
   
    Logon/Logoff.
   
    Audit Account Lockout - Failure
   
    Audit Logon - Failure
   
    Audit Account Lockout - Failure Audit Logon - Failure
   
    Audit Kerberos Authentication Service - Failure
   
    Audit Credential Validation - Failure
   
    Account Management.
   
    Audit User Account Management - Success and Failure
   
    We can open CMD with administrator privileges on the domain controller and run the following command to force the policy to be refreshed and to check that the relevant audits are turned on.
   
    gpupdate /force
   
    auditpol /get /category:\*
   

3.然后到对应的dc上检查安全日志，4740（账号锁定）、4771（Kerberos 验证）、4776（NTLM验证）等日志进行分析， 可以通过语法进行过滤：[System[(EventID=4771 or EventID=4776 or EventID=4740)]]and *[EventData[Data and (Data='user account')]]

首先在DC 上安全日志中的4740事件日志找到账户锁定的时间点，然后查看4740日志附近的几个4771抑或4776事件日志（包含用户的账户名称，且error code 为0X18 抑或0xc000006a）

4673(S, F) A privileged service was called. - Windows 10 | Microsoft Learn

Best regards

Neuvi