Link to home
Create AccountLog in
Windows XP

Windows XP

--

Questions

--

Followers

Top Experts

Avatar of mprakhye
mprakhye🇺🇸

The Active DIrectory user account locks by itself every few minutes.
Hi,

I have one user in a midsize company whose AD user account gets locked for invalid password or logon attempts even though I come in and manually unlock it, it gets locked in 3 minutes again automatically.
Here are the errors from her computer's system event log: (They also repeat the errors for 4-5 servers including exchange on the network)

Warning.    Source: LSASRV     Category: SPNEGO (Negotiator)     Event ID: 40960

The Security System detected an attepted downgrade attack for server cifs/"server.domain". The failure code from authenticating protocol kerberos was "The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested". (0xc0000234)

Warning.    Source: LSASRV     Category: SPNEGO (Negotiator)     Event ID: 40961
The Security system could not establish a secured connection with the server cifs/"server/domain". No authentication protocol was available.


Does anyone know what it could be,

Thanks,

Mike.

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of slam69slam69🇬🇧

could that user have a session open on another pc or by running an app with cached credentials thats causing the account to lock
Avatar of flyingskyflyingsky

try check "password never expires" for that account.
Avatar of slam69slam69🇬🇧

lol i wouldnt consider teh above a solution as that opens up a hole in your security
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of mprakhyemprakhye🇺🇸

ASKER

The user is only using one computer and no other at all.


The password expiraton is not the problem, the problem is it's locking itself automatically.
Avatar of slam69slam69🇬🇧

do they use terminal service/ remote desktop they could have left a session open with old credentials that is causing a conflict in passwords and causing the locak, if not that then they could have stored credentials within some vb script or alternative that are old and is causing the lock.

Aside from that i dont know of anything else it could be and you could spend a long time hunting for it id be recreating teh profile and seeing if that resolved
Avatar of flyingskyflyingsky

"lol i wouldnt consider teh above a solution as that opens up a hole in your security"
Security is nothing if the system is not usable at all.
I am just trying to suggest something that can get him going and buy him some time to figure out why.
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of slam69slam69🇬🇧

cached credentials for a mapped network drive perhaps?
Avatar of powercrampowercram

Is this user's account being used for a service?  I've had this happen before where the user changes their password and the service is set to rerun if it fails.  In your case the service could be retrying after 1 minute.
Avatar of flyingskyflyingsky

"The password expiraton is not the problem, the problem is it's locking itself automatically"
Is the "password never expires" check box checked or just empty? I have seen similar problem when the box is empty.
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of mprakhyemprakhye🇺🇸

ASKER

Slam69: It is a good idea, but I dont know why would it lock itself even when it's not in use, when the user is not logged in to the domain, but using a local account without any mappings.

Powercram: No, this is a regular user, the account is not being used for any services .

Flyingsky: The "password never expires" usually pertains to the expiry of the password after a certain period of time, therefore I don't see the relation here. Our passwords expire just like everywhere in order to keep the security of the account.
Avatar of slam69slam69🇬🇧

It would lock itself due to teh continual polling against AD not sure of teh exact technicalies but i had teh exact same probelm with a user at barclaycard and it eventaully transpired out to be an rdp session they were using in conjunction with their own desktop.

their password changed in teh monring but the rdp session kept running under the old credentials and kept causing account lock out
Avatar of flyingskyflyingsky

I understand this is a petential security issue by check password never expire. As I said, this maybe able to get him going and buy you some time to figure out why. If this is not necessary, just ignor my posts. thanks.
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of mprakhyemprakhye🇺🇸

ASKER

The user is not using an RDP session, and if she was, then it would end the session after sometime of disconnection. But she has her computer off and is not logged in anywhere else, yet her account gets locked for invalid logon attempts.

Flyingsky: I checked the never expire checkbox, same thing, it locks itself in AD.
Avatar of slam69slam69🇬🇧

IM fast running out of ideas


If teh users isnt logged on it cant be RDpo lock out and it cant be a service causing teh locak out


How about scheduled tasks? even if not logge din the scheduled task can still try and run with bad credentials?
Avatar of slam69slam69🇬🇧

take alook at this article

http://technet.microsoft.com/en-us/library/cc773155.aspx

lots of things but the list is fast running out of possibilities
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of mprakhyemprakhye🇺🇸

ASKER

I just turned her computer off and unplugged it from the network physically. Unlocked her account and in 4 minutes it got locked again.
Avatar of slam69slam69🇬🇧

well this is pretty infuriating, could anyone else have tried to use her credentials for an app?

At this point i would be canning teh profile but we can continue to troubleshoot if you like

rename account in ad old, rename her computer profile old, create new profile move uses old profile information to the new one and try again
Avatar of slam69slam69🇬🇧

The fact the machine is not even plugged into teh network physically negates nearly all teh usual problems that cause this

last one i can see if IIS if her account is used for this type of service on an IIS server but thats a long shot listening to you it sounds like she is just a regular user?
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of mprakhyemprakhye🇺🇸

ASKER

Yes. It's not IIS.
Avatar of slam69slam69🇬🇧

are you in a position to recreate the profile they do become corrupt after all although its rare for it to be like this?
Avatar of mprakhyemprakhye🇺🇸

ASKER

Are you talking about AD user account or a local profile on the computer?
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of slam69slam69🇬🇧

perform with teh ad user account first and then the local profile, i dont think its teh local profile due to the machine being off teh network but somethings going wrong
Avatar of mprakhyemprakhye🇺🇸

ASKER

I'll work on that today, but if anyone else has any ideas or fixes please post. Thanks!
Avatar of flyingskyflyingsky

do you have more than one domain controller? If so, are the time on these servers sync?
Free T-shirt

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

Avatar of mprakhyemprakhye🇺🇸

ASKER

I just asked the user about changing her password which she did the day before. (Which she didnt tell me about) But she does not recall saving it anywhere, so I have to somehow figure out where her username and password are used on the network, somehow...
Avatar of slam69slam69🇬🇧

You can use the System Information tool to create a list of services and the accounts that were used to start them. To start the System Information tool, click Start, click Run, type winmsd, and then click OK.

BUT THAT ONLY WORK SON INDIVIDUAL MACHINES
Avatar of mprakhyemprakhye🇺🇸

ASKER

I solved the problem. The user has an IPhone that was set up to receive company e-mail on it. Since she changed her password a day before the IPhone was still trying to connect with a bad password, hence locking the account. Deleting the account or changing the password on the IPhone solved the problem!
Reward 1Reward 2Reward 3Reward 4Reward 5Reward 6

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

Avatar of slam69slam69🇬🇧

so it was a service lol wish we knew about teh iphone earlier when asked what she logs into but alls well that ends well please close question as you deem appropaite
ASKER CERTIFIED SOLUTION
Avatar of slam69slam69🇬🇧

Link to home
membership
Log in or create a free account to see answer.
Signing up is free and takes 30 seconds. No credit card required.
Create Account
Windows XP

Windows XP

--

Questions

--

Followers

Top Experts

Microsoft Windows XP is the sixth release of the NT series of operating systems, and was the first to be marketed in a variety of editions: XP Home and XP Professional, designed for business and power users. The advanced features in XP Professional are generally disabled in Home Edition, but are there and can be activated. There were two 64-bit editions, an embedded edition and a tablet edition.