12 Replies Latest reply on May 14, 2015 10:53 AM by Brian.Hoffman

    Scheduler Account Audit errors lead to account lockout

    Apprentice

      Here is a copy of the error when reviewing the security logs.  I have gone over all areas of this doc multiple times.How user accounts can get locked out when using LANDesk Management Suite so please do not refer me to it.

       

      I DO HAVE A TICKET IN FOR THIS FOR OVER 4 MONTHS. I was hoping a collective mind might have some other answers for why this domain account (ldservice) gets locked out. The password never changes and it has never changed since install of landesk ver 9.0.

      As you can see it hits that account a lot. A drink of your choice at Interchange 2015 to whomever that can solve this error for me.

      Here are the details of the logs:

      An account failed to log on.

      Subject:
      Security ID:  NULL SID
      Account Name:  -
      Account Domain:  -
      Logon ID:  0x0

      Logon Type:   3

      Account For Which Logon Failed:
      Security ID:  NULL SID
      Account Name:  ldservice
      Account Domain:  nt.ccneb.edu

      Failure Information:
      Failure Reason:  Unknown user name or bad password.
      Status:   0xc000006d
      Sub Status:  0xc0000064

      Process Information:
      Caller Process ID: 0x0
      Caller Process Name: -

      Network Information:
      Workstation Name: VRKIRKLAND7
      Source Network Address: 10.6**.***.09
      Source Port:  63884

      Detailed Authentication Information:
      Logon Process:  NtLmSsp
      Authentication Package: NTLM
      Transited Services: -
      Package Name (NTLM only): -
      Key Length:  0

       

      Then it leads to this error:

       

      An account failed to log on.

      Subject:
      Security ID:  NULL SID
      Account Name:  -
      Account Domain:  -
      Logon ID:  0x0

      Logon Type:   3

      Account For Which Logon Failed:
      Security ID:  NULL SID
      Account Name:  ldservice
      Account Domain:  nt.cccneb.edu

      Failure Information:
      Failure Reason:  Account locked out.
      Status:   0xc0000234
      Sub Status:  0x0

      Process Information:
      Caller Process ID: 0x0
      Caller Process Name: -

      Network Information:
      Workstation Name: LDCOL
      Source Network Address: 10.**3.**.***
      Source Port:  60937

      Detailed Authentication Information:
      Logon Process:  NtLmSsp
      Authentication Package: NTLM
      Transited Services: -
      Package Name (NTLM only): -
      Key Length:  0

        • 1. Re: Scheduler Account Audit errors lead to account lockout
          MarXtar ITSMMVPGroup

          Two workstations are mentioned in the examples you give. Are these just client systems are cold they also be running the LANDESK Management Console?

           

          Mark McGinn

          MarXtar Ltd/MarXtar Corporation

          http://landeskone.marxtar.co.uk

          LANDESK One Development Partner

           

          The One-Stop Shop for LANDESK Enhancements

          • 2. Re: Scheduler Account Audit errors lead to account lockout
            Apprentice

            @MarXtar The two devices are end user devices and have no management console installed. I received 1,100+ of these account lockout/schedule audit events in 10 minutes.

            • 3. Re: Scheduler Account Audit errors lead to account lockout
              amagi Expert

              Hi bhoffman, it seems the same issue of last time: Re: Scheduler service login account error  - Failed to set user name for the Scheduler service

              how your scheduler account is written now?

              • 4. Re: Scheduler Account Audit errors lead to account lockout
                MarXtar ITSMMVPGroup

                OK, what are the other log entries talking about?

                 

                lockout.png

                From what I can see there is a consistent pattern of log entries with an identical timestamp. Are they COM+ related?

                 

                Mark McGinn

                MarXtar Ltd/MarXtar Corporation

                http://landeskone.marxtar.co.uk

                LANDESK One Development Partner

                 

                The One-Stop Shop for LANDESK Enhancements

                • 5. Re: Scheduler Account Audit errors lead to account lockout
                  Apprentice

                  In my original post the first event details are the same. and look like this:

                  An account failed to log on.

                  Subject:
                  Security ID:  NULL SID
                  Account Name:  -
                  Account Domain:  -
                  Logon ID:  0x0

                  Logon Type:   3

                  Account For Which Logon Failed:
                  Security ID:  NULL SID
                  Account Name:  ldservice
                  Account Domain:  nt.ccneb.edu

                  Failure Information:
                  Failure Reason:  Unknown user name or bad password.
                  Status:   0xc000006d
                  Sub Status:  0xc0000064

                  Process Information:
                  Caller Process ID: 0x0
                  Caller Process Name: -

                  Network Information:
                  Workstation Name: VRKIRKLAND7
                  Source Network Address: 10.6**.***.09
                  Source Port:  63884

                  Detailed Authentication Information:
                  Logon Process:  NtLmSsp
                  Authentication Package: NTLM
                  Transited Services: -
                  Package Name (NTLM only): -
                  Key Length:  0

                   

                  Account lockouts all look like these:

                  An account failed to log on.

                  Subject:
                  Security ID:  NULL SID
                  Account Name:  -
                  Account Domain:  -
                  Logon ID:  0x0

                  Logon Type:   3

                  Account For Which Logon Failed:
                  Security ID:  NULL SID
                  Account Name:  ldservice
                  Account Domain:  nt.cccneb.edu

                  Failure Information:
                  Failure Reason:  Account locked out.
                  Status:   0xc0000234
                  Sub Status:  0x0

                  Process Information:
                  Caller Process ID: 0x0
                  Caller Process Name: -

                  Network Information:
                  Workstation Name: LDCOL
                  Source Network Address: 10.**3.**.***
                  Source Port:  60937

                  Detailed Authentication Information:
                  Logon Process:  NtLmSsp
                  Authentication Package: NTLM
                  Transited Services: -
                  Package Name (NTLM only): -
                  Key Length:  0

                   

                  This is the credential Validation event:

                  The computer attempted to validate the credentials for an account.

                  Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
                  Logon Account: ldservice
                  Source Workstation: VMMARGRITZ7
                  Error Code: 0xc0000064

                   

                  This is the Login Task category event info:

                   

                  An account failed to log on.

                  Subject:
                  Security ID:  NULL SID
                  Account Name:  -
                  Account Domain:  -
                  Logon ID:  0x0

                  Logon Type:   3

                  Account For Which Logon Failed:
                  Security ID:  NULL SID
                  Account Name:  ldservice
                  Account Domain:  nt.ccneb.edu

                  Failure Information:
                  Failure Reason:  Unknown user name or bad password.
                  Status:   0xc000006d
                  Sub Status:  0xc0000064

                  Process Information:
                  Caller Process ID: 0x0
                  Caller Process Name: -

                  Network Information:
                  Workstation Name: VMMARGRITZ7
                  Source Network Address: 10.67.80.165
                  Source Port:  53246

                  Detailed Authentication Information:
                  Logon Process:  NtLmSsp
                  Authentication Package: NTLM
                  Transited Services: -
                  Package Name (NTLM only): -
                  Key Length:  0

                  This event is generated when a logon request fails. It is generated on the computer where access was attempted.

                  The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

                  The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

                  The Process Information fields indicate which account and process on the system requested the logon.

                  The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

                  The authentication information fields provide detailed information about this specific logon request.
                  - Transited services indicate which intermediate services have participated in this logon request.
                  - Package name indicates which sub-protocol was used among the NTLM protocols.
                  - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

                  • 6. Re: Scheduler Account Audit errors lead to account lockout
                    amagi Expert

                    Are you able to logon to landesk console with user "nt.ccneb.edu\ldservice" ?

                    • 7. Re: Scheduler Account Audit errors lead to account lockout
                      MarXtar ITSMMVPGroup

                      Since you have so many I wonder if it is related to the inventory scan checking LDAP information.

                       

                      If you launch a scan on a device yourself do you see a corresponding entry about the locked out account?  Perhaps if you use the /LDAP- option from here: About Inventory Scanner Switches then it might stop the attempt to connect.

                       

                      One other piece of troubleshooting advice. Since it isn't 100% clear what part of LD is causing this, consider (even temporarily) creating additional ldservice accounts and using a different one in each section where you have ldservice. This way when the account gets locked out, the one that gets locked indicates which area of LD is causing it and it may help narrow down the search.

                       

                      Mark McGinn

                      MarXtar Ltd/MarXtar Corporation

                      http://landeskone.marxtar.co.uk

                      LANDESK One Development Partner

                       

                      The One-Stop Shop for LANDESK Enhancements

                      • 8. Re: Scheduler Account Audit errors lead to account lockout
                        Apprentice

                        MarXtar I created another LDService account last night and swapped it out with the old account. With the new account the lock outs have not "attacked" the new account and the old account is not being hit as much for account lockouts.

                         

                        The one area that is still the problem is my VDIs are trying the new account and is failing and sending an event error. The physical machines are not. Now, my VMs do have a different agent so I'm going to go a verify the new account in the agent settings.

                         

                        I really do appreciate this effort. Ill report more when I get more.

                        • 9. Re: Scheduler Account Audit errors lead to account lockout
                          Apprentice

                          amagi I was able to log in to my console with nt.cccneb.edu/ldservice

                          • 10. Re: Scheduler Account Audit errors lead to account lockout
                            Apprentice

                            Here is a screenshot of the error I'm receiving with my virtual machines.

                             

                            • 11. Re: Scheduler Account Audit errors lead to account lockout
                              MarXtar ITSMMVPGroup

                              VDI machines. Would that mean you have configured software monitoring to write to a file share? Could that be what is causing the issue now?

                               

                              Mark McGinn

                              MarXtar Ltd/MarXtar Corporation

                              http://landeskone.marxtar.co.uk

                              LANDESK One Development Partner

                               

                              The One-Stop Shop for LANDESK Enhancements

                              • 12. Re: Scheduler Account Audit errors lead to account lockout
                                Apprentice

                                Yea all devices are to write to a share for SLM. I don't use it currently in pools only dedicated VMs. The errors are now only with the VMs.