4776 with Uncommon Error Code 0xC0000199

K

Kiowa

I think the Owner of a Built-In Security Group is causing dozens laptops to lockout because the account is not Enabled and has an Expired Password. I don't have a complete understanding of how this group would affect computers in a domain. My question is conceptual in order to better understand what I think the cause is.

In an enterprise, there are several domains. The Trust relation is unclear but could be determined. There is a Windows 10 rollout happening, and this might be related. The issue is a computer is locking out, and it isn't a common reason.

There is a Security Group called: Windows Authorization Access Group. Members have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects. When I look at the computer object in Active Directory, this is one of the groups for all the laptops. When I look at the Special Permissions of the group on the computer, a desktop support technician is the Owner. He might be involved with the imaging and rollout. This user hasn't logged in for months. The user's account has an expired password and was locked out.

The computer is failing with Event ID 4776, but the Error Code isn't common. 0xC0000199. The SourceWorkstation is a path '\\'

EventCode=4776
EventType=0
Type=Information
ComputerName=ContosoDC.contoso.com
AuthentiationPackage=MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
LogonAccount=dell-laptop$
SourceWorkstation=\\dell-laptop
Error Code=0xC0000199

There is a Technet Article about this Error Code: It's NetStatus code for STATUS_NOLOGON_WORKSTATION_TRUST_ACCOUNT. Also, some event logs are saying the computer doesn't have permission to write to AD objects, and the computers don't have an fqdn.

I think there are a couple of possibilities. The WAA account is messed up because the owner is expired, or the computer can't join the domain because of a token issue, or the computer can't access a path to complete part of the imaging. I'd like to get some feedback from the community of this security group, the tokenGroupsGlobalndUniversal, 0xC0000199, or why the source workstation is \\computername$.

Continue reading...
 
Back
Top Bottom