peterxlane
asked on
Windows Account Getting Locked Out
On our network at work, my windows account keeps getting locked out. If the incorrect password is entered three consecutive times, the account ends up getting locked out. I first notice this when I attempt to get on a website on our corporate intranet that uses NT authentication and am unable to get in. Then I am prompted for my password by Outlook. At this point if I sign out of my computer I am unable to get back as my account is locked. I know that I am not attempting to enter my password incorrectly anywhere. I do not have any open Terminal Server sessions. I don't have any scheduled tasks using my account. I can't think of any services that I have set up using my account.
I am 99.9% sure that this is not from another user attempting to access my account simply due to the frequency that I am being locked out. It happened about ten times yesterday. So I am fairly certain that some process somewhere is running using an old password. Is there any way to track down what is causing the lockout?
I am 99.9% sure that this is not from another user attempting to access my account simply due to the frequency that I am being locked out. It happened about ten times yesterday. So I am fairly certain that some process somewhere is running using an old password. Is there any way to track down what is causing the lockout?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
A Couple of Remote Possibilities to Explore....
Option 1.Have you ever mapped network drives for another user (using your credentials) and then forgotten about them? Your password has since changed and everytime that user logs in it tries to connect with the incorrect credentials. Remote Possibility.
Option 2. Virus or other trojan on your network which has polled all of the user accounts on a client machine and is now attempting to spread via network shares. This is the more likely candidate in my view. It is trying to figure out your password and as it goes thru the realm of possible passwords, every third failed attempt causes your account to lock.
Go to your DC and look at the Event log and try to determine which machine the Attempts are made from... if you have Logging of Failed logon attempts enabled it should tell you which machine is enabled.
Good Luck with that...
Option 1.Have you ever mapped network drives for another user (using your credentials) and then forgotten about them? Your password has since changed and everytime that user logs in it tries to connect with the incorrect credentials. Remote Possibility.
Option 2. Virus or other trojan on your network which has polled all of the user accounts on a client machine and is now attempting to spread via network shares. This is the more likely candidate in my view. It is trying to figure out your password and as it goes thru the realm of possible passwords, every third failed attempt causes your account to lock.
Go to your DC and look at the Event log and try to determine which machine the Attempts are made from... if you have Logging of Failed logon attempts enabled it should tell you which machine is enabled.
Good Luck with that...
Hi
Yep - you would need to make sure security auditing is setup - but if it's happening that often, set it up now and it should still give you a good idea of what's going on soon enough. Also make sure that there aren't any scheduled tasks set to run under your old account details, or services that are running with your credentials - you can check via services.msc - then checking properties of each one. Also ntbackup can cause this problem - unlikely with the frequency you're getting but still worth a mention. Virus checking as mentioned by Jeff is also a good idea - don't just rely on Norton/Symantec by the way! You could try Trend online/Panda etc.
Deb :))
Yep - you would need to make sure security auditing is setup - but if it's happening that often, set it up now and it should still give you a good idea of what's going on soon enough. Also make sure that there aren't any scheduled tasks set to run under your old account details, or services that are running with your credentials - you can check via services.msc - then checking properties of each one. Also ntbackup can cause this problem - unlikely with the frequency you're getting but still worth a mention. Virus checking as mentioned by Jeff is also a good idea - don't just rely on Norton/Symantec by the way! You could try Trend online/Panda etc.
Deb :))
You can try some of these tools that might be able to help you.
here is what they are and do
TABLE 1: Account Lockout–Related Management Tools
Tool Name Usage
(Available From)
Acctinfo.dll Adds a new property page to the AD account properties that can help isolate and troubleshoot account lockouts. You can also use the tool to change a user's password on a DC in a particular site.
(Windows 2003 resource kit and altools.exe)
Alockout.dll A client-side tool that helps identify the process or application that’s sending wrong credentials.
(altools.exe)
AloInfo.exe A command-line tool that displays all user account names and the age of their passwords.
(altools.exe)
Lockoutstatus.exe A GUI tool (which Figure 2 shows) that can query all DCs for user account lockout–related information.
(Windows 2003 resource kit and altools.exe)
And here is where you can download these tools.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
Joe
here is what they are and do
TABLE 1: Account Lockout–Related Management Tools
Tool Name Usage
(Available From)
Acctinfo.dll Adds a new property page to the AD account properties that can help isolate and troubleshoot account lockouts. You can also use the tool to change a user's password on a DC in a particular site.
(Windows 2003 resource kit and altools.exe)
Alockout.dll A client-side tool that helps identify the process or application that’s sending wrong credentials.
(altools.exe)
AloInfo.exe A command-line tool that displays all user account names and the age of their passwords.
(altools.exe)
Lockoutstatus.exe A GUI tool (which Figure 2 shows) that can query all DCs for user account lockout–related information.
(Windows 2003 resource kit and altools.exe)
And here is where you can download these tools.
http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=7af2e69c-91f3-4e63-8629-b999adde0b9e
Joe
I'd like to concur with the security auditing and offer a couple other possibilities. Look at what other restrictions you have on the account. For example I had a boss who, in paranoia, once setup a webcam to take snapshots if the camera detected motion then email those snapshots to him. In one night he ran over quota and was locked out. We deleted the offending emails and unlocked his account only to have the same thing happen the next day because he hadn't changed the webcam settings. So there are a number of things, disk quotas, failed login attempts, etc. that can lock out your account.
if you have the security auditing setup, look at the different possible things you can do to trigger a lock-out of your account.
if you have the security auditing setup, look at the different possible things you can do to trigger a lock-out of your account.
lockout after 3 bad tries is way NT was written. It save dated file, cant try again until next day, that is way it designed.
Perhaps it is an issue with your screen saver. There is an issue that when you have a password enabled screen saver you may enter the password incorrectly, but you have more than 3 attempts as the password is cached on the system. You will get back into the computer however teh account will be locked.
Fix is as follows:
1. Click Start, Run, type REGEDT32 and click OK.
2. Navigate to the key HKEY_LOCAL_MACHINE\Softwar
3. If the ForceUnlockLogon value does not exist, add it. To do so click Edit, select Add Value, type ForceUnlockLogon, change Data Type to REG_DWORD and click OK. When the DWORD Editor opens, add the number 1 into the Data field and ensure Hex is selected, then click OK. The ForceUnlockLogon should appear in the right pane of the Winlogon screen.
4. Close the Registry Editor.
5. Restart the computer.
Full Microsoft article on cause and resolution:
http://support.microsoft.com/default.aspx?scid=kb;en-us;188700
Fix is as follows:
1. Click Start, Run, type REGEDT32 and click OK.
2. Navigate to the key HKEY_LOCAL_MACHINE\Softwar
3. If the ForceUnlockLogon value does not exist, add it. To do so click Edit, select Add Value, type ForceUnlockLogon, change Data Type to REG_DWORD and click OK. When the DWORD Editor opens, add the number 1 into the Data field and ensure Hex is selected, then click OK. The ForceUnlockLogon should appear in the right pane of the Winlogon screen.
4. Close the Registry Editor.
5. Restart the computer.
Full Microsoft article on cause and resolution:
http://support.microsoft.com/default.aspx?scid=kb;en-us;188700
ASKER
I am at kind of a standstill on this issue. I am dealing with adminstrators in a remote office to try and look at the event log on the domain controller to help determine the cause...
My account did not lock me out at all yesterday... HOORAY! There was really only one app that I can think of that I didn't use yesterday: SQL Enterprise Manager. I had many different remote registered servers in there. When registering these servers, I almost always used SQL Server authentication, but there was a couple that I used NT authentication... But it was not as though I had to enter the credentials when doing this, it simply says use the credentials I use when I log onto my computer... so I can't imagine why that would lock out my account.
I am going to divide up the points among the answers that have helped the most...
My account did not lock me out at all yesterday... HOORAY! There was really only one app that I can think of that I didn't use yesterday: SQL Enterprise Manager. I had many different remote registered servers in there. When registering these servers, I almost always used SQL Server authentication, but there was a couple that I used NT authentication... But it was not as though I had to enter the credentials when doing this, it simply says use the credentials I use when I log onto my computer... so I can't imagine why that would lock out my account.
I am going to divide up the points among the answers that have helped the most...
ASKER
I downloaded psloggedon.exe and have been attempting to use it.
when I run psloggedon <username> I get a bunch of errors:
Error opening HKEY_USERS for <servername>
Make sure that remote registry service is started on <servername>
Unable to query resource logins
and it gives me this error for every machine on the network
Although now I am noticing that my account is locked out AGAIN... Can I run this utility if my account is locked out.
Deb-
I will look into the security auditing on the server, but I would need to make sure that it was set up on every server that I might access, correct?