Event 4776 - Audit Failure from DC + Account Lockout
-
The computer attempted to validate the credentials for an account.
Authentication Package: MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon Account: gijones
Source Workstation: DC1
Error Code: 0xC000006A
I recently opted to put Account lockout Policies in place as I'm learning more about the Security side of things having just passed my MTA Security. Instantly getting account lockouts on my account.
We never used elevation for admin privs, but we since stopped being idiots. I bring this up because we probably set up a lot of things with our older credentials, and the littlest bit of research tells me this is a mapped drive, a service, or a scheduled task that's trying to authenticate using incorrect credentials.
Things I've checked/additional info:
netlogon.log for accuracy and understanding. [LOGON] [716] DOMAIN: SamLogon: Network logon of (null)\gijones from DC1 Returns 0xC000006A (this code just means the user name is correct but the password is wrong)
- Every Service on the DC was checked for the Log On credentials.
- Every server in the domain was checked for any scheduled task, or process that could be running with my credentials.
- I've deleted any user folder that was mine that existed on any server, in addition to removing the profile altogether with Regedit.
- I've checked all servers for mapped drives, as well as any computer I can think of that I would have mapped to the DC.
We do use a VPN, and I have tunneled in from home previously, but I've double checked the service wasn't running on my home machine.
I've hit a point where I don't know where else to look. Now, I could just make a new username easy peasy and be done with it, but not knowing is driving me crazy. Any additional ideas on places to look or next steps? I'm tinkering around with Wireshark, so maybe if it's a mapped drive I could find it that way. Just gotta figure out these filters...
-
@G-I-Jones said in Event 4776 - Audit Failure from DC + Account Lockout:
I'm tinkering around with Wireshark, so maybe if it's a mapped drive I could find it that way. Just gotta figure out these filters...
Not sure that would help... if the packets are encrypted to the server from whatever's making the request, you won't be able to read anything.
-
@Dashrender said in Event 4776 - Audit Failure from DC + Account Lockout:
@G-I-Jones said in Event 4776 - Audit Failure from DC + Account Lockout:
I'm tinkering around with Wireshark, so maybe if it's a mapped drive I could find it that way. Just gotta figure out these filters...
Not sure that would help... if the packets are encrypted to the server from whatever's making the request, you won't be able to read anything.
Would show the IP addresses, though.
-
Figured it out. Both DC's had inconsistencies between configurations and they basically weren't replicating or failing to serve DNS requests because the Interfaces were all over the place.
I used this opportunity to take a crash course on Configuring DNS to understand all of the settings, and I was able to fix it by thoroughly sweeping the settings and correcting as I went.
I've never seen the Security log so empty before. It's a great feeling. Also, I learned a bit about DNS so win-win.
