PDC Emulator
We will be looking at the security event log of the Domain Controller holding the PDC emulator role as it is the authority on user’s password validity and responsible to process user fails authentication with expired password or wrong passwords or account is locked out etc… PDC emulator rejects bad password and increment the badPwdCount for that user object.
Event ID 680 Error Code Matrix
Event ID 680 is a security event log having a range of return codes that are specific to account lockouts from 0xC000006A to 0xC0000234. These codes are associated with the event ID 680 and are valuable to diagnose the root cause. It logs the success or failure attempt to logon to a system with a local or remote process using system or user accounts.
Following table is the matrix for return code:
| 0x0 | Successful Login |
| 0xC0000064 | The specified user does not exist |
| 0xC000006A | The values provided as the current password is not correct |
| 0xC000006C | Password Policy not met |
| 0xC000006D | The attempted login is invalid due to a bad username |
| 0xC000006E | User account restriction have prevented successful Login |
| 0xC000006F | The user account has time restrictions and may not be logged onto at this time |
| 0xC0000070 | The user is restricted and may not log on from the source workstation |
| 0xC0000071 | The user account's password has expired |
| 0xC0000072 | The referenced account is currently disabled |
| 0xC000009A | Insufficient system resources |
| 0xC0000193 | The user's account has expired |
| 0xC0000224 | User must change his password before he logs on the first time |
| 0xC0000234 | The user account has been automatically locked |
Identify Domain Controller Holding PDC Role
Nltest or dsquery command tools can be use to help you identify the PDC emulator role if you have more than one domain controller in your domain. You need to install the Support Tools if you are not able to run Nltest.exe on your system. If you prefer to use dsquery and wanted to run the command on your Windows XP or Vista system then you will need to install Adminpack.msi on your client machine.
C:\>nltest /dclist:Domain
Get list of DCs in domain 'Domain' from '\\ PDC_DC'.
PDC_DC2.Domain.com [DS] Site: EMEA
PDC_DC.Domain.com [PDC] [DS] Site: EMEA
The command completed successfully
C:\>dsquery server -hasfsmo pdc
"CN=PDC_DC,CN=Servers,CN=EMEA,CN=Sites,CN=Configuration,DC=Domain,DC=com"
Account Lockout Troubleshooting Steps
By tracking the following events ID. You will be able to detect unauthorized attempts to logon to your system or troubleshoot authentication issue like account lockout.
Event ID 680
Event ID 680 shows that user ‘domainUser’ from machine name ‘SERVER’ attempts to logon to a system but supply the wrong password reference on the ‘Error Code: 0xC000006A’ generated.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/18/2009
Time: 8:14:03 PM
User: NT AUTHORITY\SYSTEM
Computer: PDC_DC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: domainUser
Source Workstation: SERVERS
Error Code: 0xC000006A
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event ID 529
Event ID 529 was trigger after the logging of event ID 680. It stats the reason for failure logon and also indicate the logon type. Logon Type 3 indicate the attempt to access a system from elsewhere on the network like most shared folders.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 529
Date: 2/18/2009
Time: 8:14:03 PM
User: NT AUTHORITY\SYSTEM
Computer: PDC_DC
Description:
Logon Failure:
Reason: Unknown user name or bad password
User Name: domainUser
Domain: SERVERS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVERS
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event ID 644
Several attempts to logon to a remote system using the wrong credential will result in account lockout depending on your account lockout policy. You will see event ID 644 being trigger for user account lockout.
Event Type: Success Audit
Event Source: Security
Event Category: Account Management
Event ID: 644
Date: 2/18/2009
Time: 8:14:04 PM
User: NT AUTHORITY\SYSTEM
Computer: PDC_DC
Description:
User Account Locked Out:
Target Account Name: domainUser
Target Account ID: DOMAIN\domainUser
Caller Machine Name: SERVERS
Caller User Name: PDC_DC$
Caller Domain: DOMAIN
Caller Logon ID: (0x0,0x3E7)
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event ID 680
If even ID 644 is being ignore and user continue to logon remotely with the wrong credential then even ID 680 will be trigger with a different Error Code: 0xC0000234 stating that the user account has been automatically locked.
Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 680
Date: 2/18/2009
Time: 8:14:04 PM
User: NT AUTHORITY\SYSTEM
Computer: PDC_DC
Description:
Logon attempt by: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: domainUser
Source Workstation: SERVERS
Error Code: 0xC0000234
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
Event ID 539
Finally, event ID 539 indicates the reason why the user is being denial access to a particular system.
Event Type: Failure Audit
Event Source: Security
Event Category: Logon/Logoff
Event ID: 539
Date: 2/18/2009
Time: 8:14:04 PM
User: NT AUTHORITY\SYSTEM
Computer: PDC_DC
Description:
Logon Failure:
Reason: Account locked out
User Name: domainUser
Domain: SERVERS
Logon Type: 3
Logon Process: NtLmSsp
Authentication Package: NTLM
Workstation Name: SERVERS
For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
0 comments:
Post a Comment