Solved

Account Locked out Constantly

Posted on 2006-07-12
14
1,150 Views
Last Modified: 2013-12-04
I recently changed my password. The password is constantly being locked out on the domain controller. Failed audit report, reported it was locked out from my workstation (xp). No other machine is being shown in the audits, after shutting down the machine and not using that account, no failed reports are being generated yet the account keeps locking itself.

I changed the password to a different one required change password at logon.
I changed the password cache on the machine to 0.
I disabled the account on the domain controller
I shut down the workstation it was reporting failed audits.
Verified that no services on that machine require that specific account information.
I deleted all network mappings.

After applying all these changes, even disabling the account...it still locks that account.

Any ideas?
0
Comment
Question by:bigjimbo813
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +2
14 Comments
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17092238
Checkout if any of the services run using your account. In that case, they would try to login your old credentials and cause lockouts. Fine 'em if there is one and update the password there.

Cheers,
Rajesh
0
 
LVL 9

Author Comment

by:bigjimbo813
ID: 17092269
i posted that i verified all services run on the machine did not use those credentials
0
 
LVL 9

Author Comment

by:bigjimbo813
ID: 17092276
even though that machine is shutdown, the lock still continues, yet the failed audit does not report on the DC
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 32

Expert Comment

by:rsivanandan
ID: 17092296
Were you able to login at least once ?

Cheers,
Rajesh
0
 
LVL 9

Author Comment

by:bigjimbo813
ID: 17092303
intially yes, now that i disabled the domain cache, No
0
 
LVL 32

Expert Comment

by:rsivanandan
ID: 17092327
I can't think of anything else, somebody else will be able to dig in more.

Cheers,
Rajesh
0
 
LVL 9

Author Comment

by:bigjimbo813
ID: 17092385
I changed the passworkd and unlocked the account. I can login to the machine...but shortly after, the account is locked again.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17094521
Ok do this test,

Shutdown your current work workstation.

Unlock your account, change password and use any other workstation for a day.

See, if your account gets locked even without using your old workstation.

If yes, then check if you have left some disconnected Terminal Session on any server.

Also, check if you have logged into some machine using old password and then locked the machine with same old credentials.
0
 
LVL 6

Expert Comment

by:DaMaestro
ID: 17094795

net use * /d

also, try connecting to any server your account may be logged into and terminate your connection.

Also, if you ghost your machines (or use some other imaging product similar) it is possible that the net use connections stored in the image are causing your lockout. I had this issue when I imaged 12 machines at one time and after logging in as the local administrator (net use attempted 2 drive mappings per machine) my account got locked out.
0
 
LVL 9

Author Comment

by:bigjimbo813
ID: 17095341
I've shutdown the workstation, problem persisted ( i was using another account )
all network shared devices were disconnected. (problem persisted)

ghost wouldn't be an issue as i use a seperate account for that.
Terminal Sessions, I also use a seperate account.

======

If im not mistaken, any windows based machine should report a failed audit to the DC (if audits are configured). This one isnt returning any failed audits other than my workstation initially (before i removed networked devices and powered down the machine). I deleted my old account, and replaced with a new one (to renew the sid) and the problem persisted.
0
 
LVL 13

Expert Comment

by:prashsax
ID: 17099839
How many DC's you have in your domain.

You need to look into security logs in events viewer on DCs.

I will tell you what Event ID will show you account locked. So you can filter the records.

The event ID will have the machine name due to which your account is being locked out.

0
 
LVL 9

Author Comment

by:bigjimbo813
ID: 17100868
Prashsax,

I have checked those audits as mentioned in the initial post. The audits were failing when the workstation was hot. Once the workstation flagged in the failed audits was brought off line, the locks contiuned with no Failed Audits.

I ran a packet sniffer, and found a few other network issues. I disabled the account last night when i left, and the locks have stopped today. I think it was a security leak with the account being compromised when tending to a trouble ticket on site.


As of now consider this self-resolved. Thanks for the input.
0
 
LVL 1

Accepted Solution

by:
DarthMod earned 0 total points
ID: 17410593
PAQed with points refunded (500)

DarthMod
Community Support Moderator
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
ransomware and redirected folders 9 105
Compromised PC? 17 250
What to look for in Fraud Protection Solutions  PoC 1 80
Penetration Testing home based work 3 93
This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question