• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 416
  • Last Modified:

Seemingly random account lockout from domain

This happened twice yesterday to one user on my systems here at work. I did not see it in person because I only get called to fix the problem so the only things I can tell you are what he told me before I solved the problem. In the morning he came into work and logged in as usual, upon loggin in his password expiration notification came up saying he had 14 days left. He cllicked no to changing the password deciding he would do it later. A few hours later he went to lunch and when he came back his screensaver required him to log in which he did. Got back into windows no problem but when he tried goin on the intra or internet he got the username/password/domain entry box. Tried entering his usual information but wouldnt let him on so thats when he called me.

I looked at it and figured he was locked out for some reason (I thought mistyped password x times) so I went and unlocked his account for him. Fast forward to five oclock that day and I leave for the night. About 30 minutes I guess he has the same problem again, walked away from the computer for 15 minutes or however long until his computer locks itself and when he logs back in no intra or internet available same username/password/domain box appears.

Any ideas
0
mpatrick65
Asked:
mpatrick65
  • 6
  • 5
  • 2
  • +3
1 Solution
 
volk125Commented:
Sounds to me like his connection gets disrupted while he is away and then he does enter proper info

if you can recreate the situation try to enter credentials with domain name included, for example:
user: domain.com\username
pass: password

Also try to disable screen saver password. And have the user lock workstation manually whenever they leave. See if the problem occurs in that situation.
0
 
volk125Commented:
I meant "does not" in the first sentence (it was a typo)
0
 
mpatrick65Author Commented:
If the connection was disrupted why would that trigger the username/password/domain dialog box to occur?

Disabling the screen saver password is not an option as it is controlled by the group policy in the active directory structure.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
volk125Commented:
rejoin the workstation to the domain
0
 
Seelan NaidooMicrosoft Systems AdminCommented:
Sounds like a service is running with his credentials, and is prompting for 'change password', As a result it will retry again, and will fail each time. Might be a scheduled task he has configured.
0
 
volk125Commented:
scheduled task to change domain password? on local computer?

That is something that is controlled by the domain security policy

0
 
volk125Commented:
mpatrick65,

no internet? you sure?

what if you cancel the prompt and try to access the internet? what happens then?
I think you haven't done enough troubleshooting yet...

at which point does it ask?  when starting IE? or browsing network? or ....? can you ping yahoo or google? or does it ask right after the screensaver password and not letting you use anything (just the prompt on screen?) ?
0
 
mpatrick65Author Commented:
Yea the domain security policy is set to have the users change their password every 90 days I believe. The reminder about the 14 days came up for this user but there is no reason why that should lock him out because his password was still acepted for another 14 days. Im hoping that it might happen again today when he goes for lunch so I can get more information on the problem. Its not a difficult problem to fix but I want to know why it is happening (unless it was just the user entering the wrong password a few times or having caps or number lock on)
0
 
mpatrick65Author Commented:
Volk if you cancel the prompt and try to access the internet it brings up the action cancelled work offline page. This is because to access the internet you need to use a proxy server which validates your username/password/domain to allow access. If you dont have the right answers you get no internet. For another matter it is not just the internet like google and yahoo but also the intranet and shared folders on the servers because those all require the validation which his account is being locked out of. He can still use all the windows based programs like office and other desktop apps.
0
 
mpatrick65Author Commented:
Anyone else have any ideas?
0
 
volk125Commented:
rejoin workstation, recreate user account, check security policy, check logon script
but I'm sure you already tried that... so I'm out of ideas, sorry
0
 
mpatrick65Author Commented:
Alright thanks I appreciate your help. Like I said I will see if it happens to him again when he goes to lunch today. If not then I guess all is well. Just kinda bugs me when things happen and I dont know why.
0
 
kkohlCommented:
Hi there!

Not sure if I can put this down in words very well, but here goes...

When a user logs in to a domain, a DC is contacted for credentials.  If no DC is found, then the computer looks to its own cache for an existing login.  We all know this.
The DC also maintains the countdown for changing the password and will flag the user each login as a reminder.

The screen saver lockout set by group policy does not bounce off a DC, merely the machine cache.  This, I think is the root of this problem.  There will be no flag of a timer warning to change a password for a screensaver... yet the cache will attempt to verify itself against a DC, which doesn't have a "login attempt" to send a timeout flag, therefore it tries to force another login to verify credentials.

When the user logs back in after the screensaver lock, and then gets prompted for domain credentials when accessing the network... what happens if they just log out entirely and log back in?  The will get the warning flag that they can choose to change the password or wait.  and all is well either way... until a screensaver lock.

I think this is one of those catch 22 type of situations that, by design or not, is as it is.

You should be able to recreate this situation for any username on your network.

Like I said, not sure if I got that out the way I intended, but I hope it helps.

kkohl
0
 
slickukCommented:
Delete the profile on the machine itself. Right click my computer->properties->advanced->user profile->settings then delete the profile. Also disconnect the computer from the domain and rejoin it, just for good measure.

This should fix the problem.
0
 
slickukCommented:
Oh yeah, you could also change his password for him via active directory, and also set it not to expire and see how that runs for a few days. Then once its calmed down and hes not getting hassled to change it, uncheck the "password never expires" bix
0
 
giltjrCommented:
Could this user be logged on at another comptuer with the OLD password?
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 6
  • 5
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now