Finding root cause of the frequent Bad Password Attempts or other Login Failure is a hard task now a days since many applications are using cached password methods. This article explains how to Trace and Find Account Lockout Source and Logon Failure Reason of an AD User for Logon Type 7.
Root cause of AD User Lockout for Logon Type 7
As for as I know there are two possibilities for logon failure with Logon type 7.
– In most cases, this logon type occurs when a user unlock the password protected workstation screen, Windows treats this logon as logon type 7. If your entered valid password, the event 4624 logged in workstation event log with logon type 7 and if you entered wrong password, the event 4625 will be logged with logon type 7.
– There may be a possibility to get account locked by Cached Active Directory Password.
Logon Type 7 event info for Login failure when unlock the workstation screen:
Description: An account failed to log on. Logon Type: 7 Failure Information: Failure Reason: Unknown user name or bad password. Process Information: Caller Process ID: 0x1d3 Caller Process Name: C:WindowsSystem32winlogon.exe
Logon Type 7 event for other login failure like cached cached credentials:
Description: An account failed to log on. Logon Type: 7 Failure Information: Failure Reason: An error occurred during logon. Process Information: Caller Process ID: 0x1f4 Caller Process Name: C:WindowsSystem32lsass.exe
Advertisement