Cached Passwords

I have seen many cases that an account gets locked even when the user is typing the correct username and password. If you see this behaviour after the user has changed their password recently, it could be that the cause is related to cached passwords. The fastest way is on Windows XP or even in Windows 7 to open a command prompt and type:

rundll32.exe keymgr.dll,KRShowKeyMgr

It will show the cached passwords that are otherwise somewhat hard to find.

I have also seen that when a profile is corrupt it will lock accounts. Try setting up verbose logging on netlogon by typing:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
Name: DBFlag
REG_DWORD
Value: 0x2080ffff

This will create verbose logging in the following location (on windows xp):
c:\windows\debug\netlogon.log

My hero mark Russinovich has written numerous great articles about in case of the unexplained. Let me tell you a story where tools from sysinternals are being used to solve the problem.
I had a case where a user got locked during the day. He was a heavy user with lots of equipment like a laptop, desktop, terminal service at home, ipad and an iphone. The story goes that we went step by step eliminating the stuff that could cause the locks. So we first took a look at his laptop, cached credentials like above mentioned were checked and we came to the conclusion that it was not his equipment because we shut one day everything down and did not turn it back on untill the next day.
Okay so what was causing the locks? I took a look at the security logs on the different domain controllers and used powershell to parse through them where his name was in the message field and the resultcode was failure. Bingo there were some entries. I looked at the logon type and it was logontype 0x4 so it is a batch (i.e scheduled task).
Okay, so I thought it could be any server, since it was in a large company with more then 500 servers I need to script it to make life easy. You may ask why I didn't take the clients ip address from the security log to find the server, okay I will explain:
In the security log there were several ipaddresses and some from his laptop, some from other domain controllers and other servers. This wasn't clear at first so I thought of focussing first on the batch, scheduled task. I ran a powershell script to find all scheduled task and on which account it ran. Darn, it was no scheduled task running somewhere by this user. After somedays I saw a pattern, 6 time a day the user got locked. Okay, it was clearly something that ran automatically on set times. Again looking closer at the security log on these times pointed me at a server. There were no scheduled task and this server was running an application called repliweb. Okay, I had done most of the work here, it is time to bring on the application owner to remove his name from this application because it was locking his account. And so he did, darn, again the user got locked out. I thought, now it is time to run "when in doubt, run processmonitor", and so i did. I had some 300000 lines of activity to look through of the snapshot I took around the times that the user got locked. Okay, so I used treeview to focus only on the application repliweb that locks his account. Still a lot of lines to look through. So I zoomed in on the time in the security log when the user get locked out and compared it with the times in the proccessmonitor log. Around the time the user got locked the system was busy with some eraser. My eye felt on a logging that it called. let open up that logfile:
There was clearly something going on with an account. So I thought, let see if the logfile gets changed exactly around the time the user got locked. BINGO, so the eraser was the cause. But how to solve this? I took another look in this particulair directory and saw some dot eraser files:
JHGDJVWEUYUVDUWV.erase etc.
They were not big and probably they were encrypted, but hey let's open up one with notepad. BINGO clear text, and yes the username was in there with a hashed password.
I called the application owner and asked him if I may rename those files. He said, go ahead.
BINGO, no more locks on his account by the use of the sysinternal tools and technical lessons from Mark.

When you want to find all the times that a user get's unlocked at a certain domain controller you can do this with powershell see Powershell

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License