Summary
- How to Find Account Lockout Source for Logon Type 3
- How to Find Account Lockout Source for Logon Type 8
- How to Find Account Lockout Source for Logon Type 7
How to Find Account Lockout Reason for Logon Type 3
This logon type occurs due to accessing a computer from elsewhere on the network (i.e Remote Desktop sharing tool), or accessing other resources like Network Share from elsewhere on the network by passing credentials. One of the most common sources of logon events with Logon type 3 is connections to shared folders or printers. But also other over-the-network logons are classed as logon type 3 as well as most logons to IIS except Basic authentication.
Consider following scenario:
DC1 - Active Directory Domain Controller
Morgan-PC - End user desktop computer
Now, when a user or any other applications tries to access resources like Network Share from Morgan-PC with wrong credentials, we will get the logon failure event 4625 with logon type 3 in DC1, it will points the machine Morgan-PC as Source Machine.
Event 4625 for Logon Type 3:
Computer: DC1.TestDomain.Com Description: An account failed to log on. Logon Type: 3 Account For Which Logon Failed: Account Name: Morgan Account Domain: TESTDOMAIN Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Network Information: Workstation Name: Morgan-PC Source Network Address: 212.158.1.110 Source Port: 51283
How to Trace AD User Lockout Reason for Logon Type 8
The logon type 8 occurs when the password was sent over the network in the clear text. Basic authentication in IIS is most possible cause for this kind of logon failure. As for as I know there are two commonly used Microsoft IIS based services with Basic Authentication by end users via either by their desktop or mobile device, such are OWA client and SharePoint server.
When an end-user connect the Basic authentication enabled OWA client from their desktop-pc/mobile device with wrong passwords, the event 4625 with logon type 8 will be logged in Exchange Server which hosts the OWA.
Consider the following scenario:
DC1 - Active Directory Domain Controller
ExchSvr - Exchange Server integrated with AD with OWA and DC1 as Authentication Server
Morgan-PC/Mobile - End user computer/mobile device
Now, when the user morgan tries to connect the OWA client from his desktop “Morgan-PC” with wrong password,
- The logon failure event 4625 with logon type 8 will be logged in ExchSvr, and this event will points the Morgan-PC as Source Machine.
- Any one of these Authentication failure logon event (4768/4771/4776) will be logged in DC1 depends upon the authentication mechanism configured in AD, and this event will points the machine ExchSvr as Source Machine.
Computer: ExchSVR.TestDomain.Com Description: An account failed to log on. Logon Type: 8 Account For Which Logon Failed: Account Name: Morgan Account Domain: TestDomain Failure Information: Failure Reason: Unknown user name or bad password. Status: 0xc000006d Sub Status: 0xc000006a Process Information: Caller Process ID: 0xce4 Caller Process Name: C:WindowsSystem32inetsrvw3wp.exe Network Information: Workstation Name: ExchSVR Source Network Address: 212.158.1.110 Source Port: 40977
To track the starting point of this logon failure, we need to read events from two machines DC1 and ExchSVR.
- By DC1 event, we can conclude the failure is triggered from ExchSVR,
- And then from ExchSVR event , we can conclude the actual failure was triggered from Morgan-PC (Source Network Address).
How to Find AD User Lockout Source for Logon Type 7
As for as I know there are two possibilities for logon failure with Logon type 7.
– In most cases, this logon type occurs when a user unlock the password protected workstation screen, Windows treats this logon as logon type 7. If your entered valid password, the event 4624 logged in workstation event log with logon type 7 and if you entered wrong password, the event 4625 will be logged with logon type 7.
– There may be a possibility to get account locked by Cached Active Directory Password.
Logon Type 7 event info for Login failure when unlock the workstation screen:
Description: An account failed to log on. Logon Type: 7 Failure Information: Failure Reason: Unknown user name or bad password. Process Information: Caller Process ID: 0x1d3 Caller Process Name: C:WindowsSystem32winlogon.exe
Logon Type 7 event for other login failure like cached cached credentials:
Description: An account failed to log on. Logon Type: 7 Failure Information: Failure Reason: An error occurred during logon. Process Information: Caller Process ID: 0x1f4 Caller Process Name: C:WindowsSystem32lsass.exe
Thanks,
Morgan
Software Developer