Home Β» PowerShell Β» Error Code 0xc0000234 – Event Id 4776 – Fix

Error Code 0xc0000234 – Event Id 4776 – Fix

Error code 0xc0000234 – The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.

Error code 0xc0000234 log details log under Event Id 4776 in event viewer.

Event ID 4776 0xc0000234 – user account has been automatically locked every after few seconds and the user failed to logins.

In this article, we will discuss a solution to solve the error code 0xc0000234 or event id-4776 by enabling debug logging for the netlogon service.

Error Code 0xc0000234

When DC ( Domain Controller) successfully authenticates a user via NTLM, it logs this event.

Authentication Package: Always β€œMICROSOFT_AUTHENTICATION_PACKAGE_V1_0”

Logon Account: ShellOper

Source Workstation:
Error Code: 0xc0000234

In the event log, it shows the above information

This event is also logged on member servers and workstations when someone attempts to log on with a local account.

Cool Tip: How to manipulate Active Directory UserAccountControl flags in PowerShell!

Error Code 0xc0000234 Solution

To know the source of the login attempt, we have to enable verbose netlogon logging on Domain Controller.

To enable the verbose netlogon logging follow given below steps

  1. Open a Cmd (Command Prompt) with Administrator privileges.
  2. Run below command
Nltest /DBFlag:2080FFFF
  1. Netlogon service stop and restart not required.
  2. If you want to turn off the verbose netlogon logging, run below command
Nltest /DBFlag:0x0

Netlogon related events are available in file %windir%\debug\netlogon.log

To read the events of the above file, open the log file with run as administrator.

netlogon.log file contains the user logon attempt and its source location.

This will help you to trace the workstation from where the login attempt was coming.

You can enable or disable netlogon logging using the registry method.

  1. Open the registry editor
  2. If Reg_SZ value for the below registry entry exists, delete it
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\DBFlag

3. Create REG_DWORD with the same word and assign value 2080FFFF hexadecimal value.

Cool Tip: Event Id 4625 Status Code 0xc000006a – Fix to find the source of attempt!

Conclusion

I hope the above article on error code 0xc0000234 logs under event id 4776 is helpful to you.

Error Status code 0xc0000234 – User account has been automatically locked because of too many invalid logon or password change attempts.

Cool Tip: Event Id 4634 – An Account was logged off!

Using enabling the verbose logging for the netlogon service on the Domain controller will help you to find out logon attempt location.

Cool Tip: Event Id 4771 – Kerberos pre-authentication failed!

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

You can read more on other windows security and system event logs as given:

Leave a Comment