Locked out domain account

Posted on 2005-03-11
Medium Priority
Last Modified: 2013-12-04
Hi, my W2k A.D. domain account gets locked out after I change the password every 30 days. I have checked this site for answers but nobody seems to be able to give a good solution on how to track down where the account is getting locked out from.

I have done the usual, deleted mapped drives, checked TS manager to see if my account is still logged onto a server, checked my services to see if I used my account to start one of them up and logged off my laptop and back on again but still my account gets locked out.

I would be grateful if anybody could provide a tool , script or some advise on how to track it down and stop it from locking my account.
Question by:baxsoftreg
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
  • 2

Expert Comment

ID: 13517140
you need to enable security logging for your event logs.

Once you change your password, whatever is causing your account to fail on login and thus trigering account lockout should be in the log.

Check you AD security event logs.
LVL 38

Expert Comment

by:Rich Rumble
ID: 13517529
Yes, as stated above, you must enable the logging of these event's, and check on the domain contollers event log's. They keep track of what pc the request's are coming from- you'll want to log failures to make sure you don't get your log's too full too fast.

Author Comment

ID: 13517687
Hi, thank you both for your replies but I do have security logging enabled and e.g. it gives the below message. Now, I have checked that server and I am not logged onto it nor do I have any open sessions, I have even rebooted it but still my account get locked out........Help!!

"Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      681
Date:            11/03/2005
Time:            14:52:47
User:            NT AUTHORITY\SYSTEM
The logon to account: USERNAME
 from workstation: XYZ
 failed. The error code was: 3221225578"
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.


Expert Comment

ID: 13517815
is 'XYZ' your machine?
LVL 38

Expert Comment

by:Rich Rumble
ID: 13517823
The event's being reported from XYZ, that is your machine then?
http://support.microsoft.com/?kbid=837142 might be of some help...

Also I trust that this is an event log from Date:  11/03/2005
You have to make sure your system time is within 5 minutes + or - of the time of the domain controllers. kerbrose doesn't like to work with system times that are further off than that.

Expert Comment

ID: 13518071
once you check your times as per above, check if you have outlook in startup, outlook is known to cache the old password so when you change the password, it tries to give he old credentials to Exchange, and then the lockout policy kicks in.

have a look at this;



Accepted Solution

tmehmet earned 250 total points
ID: 13518144
there should be logs on the workstation XYZ, if it did attempt to connect and failed, it should have recorded it (assuming auditing is enabled). this may also give a clue as to the problem.

Author Comment

ID: 13519959
thanks, it did point me to the problem, a virus was somehow using my account and when I changed my password it started causing problems but overall, I think this is a one off as I have done all these searches before when accounts have been locked out and have been unable to successfully find the culprit. It would be great to have a tool to track the locked account for you. Anyway thanks.

Also, thanks Rich for your contribution.

Expert Comment

ID: 13520076
what was the virus, just so others can know for future reference.


Author Comment

ID: 13533645
Believe it is NetDevil. It uses "Advapi" which can be used to impersonnate a user that has logged onto that machine. In the logs, you would see "Logon Process = Advapi" rather than "Logon Process = Kerberos"


Featured Post

U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, a new law in my state forced us to get a top-to-bottom analysis of all of our contract client's networks. While we have documentation, it was spotty at best for some - and in any event it needed to be checked against reality. That was m…
In a recent article here at Experts Exchange (http://www.experts-exchange.com/articles/18880/PaperPort-14-in-Windows-10-A-First-Look.html), I discussed my nine-month sandbox testing of the Windows 10 Technical Preview, specifically with respect to r…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month14 days, 18 hours left to enroll

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question