Solved

mysterious account lockouts

Posted on 2007-11-29
7
381 Views
Last Modified: 2012-05-05
Let me first tell you what is NOT the problem: users mistyping or forgetting their passwords. The lockouts are happening while users are logged on. I will unlock a user, and a few minutes later, the account is locked again. The lockouts are happening in a single department (Customer Service) and only some of the users are getting locked out repeatedly. There are 15 people in the department, but only about 5 are being repeatedly locked out.

The first question I asked myself was what did I change? Recently, I installed a .NET based rate calculator app from UPS on all machines in the department. However, the problem did not immediately appear after I installed the app.  A few weeks before that, I upgraded both of my W2K3 Domain Controllers to SP2.

If it is the new app, I'd like some definitive proof that it is the cause before I remove it. If I can't find proof, then i guess my next step will be to uninstall the app on a couple of the PCs that are affected and see if the problem goes away.

More on the environment: I have a single domain with 2 domain controllers, running in 2003 mode. All clients in the Customer Service Department are running XP SP2. My print and file servers are running 2003 with a mix of SP1 and SP2. I have a 2003 SP1 SQL server running MSSQL 2000 STD SP3. I do not have Exchange.

What I have tried: I have installed Mcrosoft's ALockout.dll tool on several of the affected machines, as well as enabling netlogon debugging on those machines. I have also enabled netlogon debugging on both Domain Controllers. However, I am struggling with the interpretation of these logs.
0
Comment
Question by:porkerjoe
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 15

Accepted Solution

by:
JimboEfx earned 125 total points
ID: 20375189
I have recently come across this product but have not tried:

http://www.motivatesystems.com/Lockout_Inspector.asp
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 125 total points
ID: 20375191
This sort of thing is often a result to users setting up a scheduled task and supplying it with credentials and then subsequently changing their password,  resulting in a task that keeps trying to  run with the wrong password and the account gets locked
0
 
LVL 1

Author Comment

by:porkerjoe
ID: 20375395
It is not the scheduled tasks - checked that already.

I will take a look at the Lockout Inspector tool - it looks like it is a full function 30-day trial. However, I don't think it will provide me the source of the lockout - only the IP address. I need to pin down what it is on the machine that is sending the credentials.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 
LVL 58

Assisted Solution

by:tigermatt
tigermatt earned 125 total points
ID: 20375931
The most common cause is something which is supplying incorrect credentials. I have often seen users bringing their home laptops in, mapping drive letters and entering their domain credentials, then changing their domain password but not updating their laptop. This obviously means it will try to map the drive and you will get account lockouts. I doubt that is the case here though as it is only one department.

Look at any programs which may have domain credentials hard programmed. When did the affected users last change their passwords, it may be that the hard programmed credentials are incorrect?

-tigermatt
0
 
LVL 1

Author Comment

by:porkerjoe
ID: 20376536
The new app that I recently installed does not store domain credentials. I don't think I've introduced any other new apps...I also can't think of any apps that used stored credentials.

The user who was first experiencing difficulties and was the reason I discovered the issue - his password was changed on Nov 3. Issues did not start happening until around the 20th.

None of the PCs in question are laptops, and I have not seen any extra mapped drives that users configured themselves.

All users in the company have drives mapped by logon scripts. I did not think to mention this before, but it might be relevant.

0
 
LVL 3

Assisted Solution

by:l84work
l84work earned 125 total points
ID: 20390441
Rename the user account names.  If lock out continues, then you know it's not some type of cached credentials.
0
 
LVL 1

Author Comment

by:porkerjoe
ID: 20444670
It turned out to be that my two domain controllers had stopped replicating with each other. As soon as I corrected that and had the problem users change their passwords, the account lockouts went away.

Thanks to all who chimed in. I'll split the points between all contributors. The first person who has already posted who posts the following will get the nod for the correct answer:

Check Replication between your domain contollers.
0

Featured Post

Complete VMware vSphere® ESX(i) & Hyper-V Backup

Capture your entire system, including the host, with patented disk imaging integrated with VMware VADP / Microsoft VSS and RCT. RTOs is as low as 15 seconds with Acronis Active Restore™. You can enjoy unlimited P2V/V2V migrations from any source (even from a different hypervisor)

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question