⚑ Deus Ex Machina ➽ Eventlog Lookup

Deus Ex Machina » Eventlog » Event 40960 - LSASRV

LSASRV - 40960


Warning

Description »
The Security System detected an authentication error for the server LDAP/DC1.fqdn.example.local/fqdn.example.local@FQDN.EXAMPLE.LOCAL.  The failure code from authentication protocol Kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
 (0xc0000234)".
Data formatted as » WORDS
0000: c0000234

The data section is what you need to be looking at here. In the example provided above, it is C0000234, which tells you that the account has been locked out.

You may also see:

c000005e - STATUS_NO_LOGON_SERVERS

This status in the data section tells you that, for whatever reason - the computer was unable to contact a domain controller. If there's no obvious cause (eg no sign of network issues at the time), see MS KB824217.

c0000064 - STATUS_NO_SUCH_USER

Fairly self-explanatory: the account does not exist. Perhaps it has been deleted from the forest? Perhaps it never existed. Perhaps the computer account has been cleaned up by somebody running a cleanup script or something like the oldcomp utility.

c000006d - STATUS_LOGON_FAILURE

This one is a bit more general, as it doesn't tell you explicitly why the logon attempt failed. It's likely to be a broken secure channel, and you will need to look at resetting the machine account password. This might happen if you've left a domain-joined computer offline for a long time, and then suddenly re-introduce it to the network with an old, expired password.

See MS KB325850 for a guide to resetting machine account passwords using the Netdom utility.

c0000072 - STATUS_ACCOUNT_DISABLED

The account has been disabled (as opposed to locked out). This means that somebody/something has deliberately decided that this account should not be used anymore. You should probably work out why this might be before deciding to re-enable it.

c0000133 - STATUS_TIME_DIFFERENCE_AT_DC

This is a bit more self-explanatory. In fact, with this ntstatus appearing in the data section, the description will also include the text "The time at the Primary Domain Controller is different than the time at the Backup Domain Controller or member server by too large an amount."

c0000017 - STATUS_NO_MEMORY

This could be a memory shortage (if you're seeing other evidence of that), or could be the exhaustion of some other resource, such as ephemeral ports.

c000019b - STATUS_DOMAIN_TRUST_INCONSISTENT

This status is usually seen in a cross-forest trust situation, and suggests you may need to install MS KB931192.

c0000023 - STATUS_BUFFER_TOO_SMALL

This may indicate kerberos token bloat issues. This status is also seen in Kerberos event ID 6.