How to identify what is causing login failure

I have a remote user who changed his password through a RDP session. Then he connected his VPN and changed the local password on his laptop. Since then his account continues to get locked. I completely removed his profile from the laptop, forced a password change (while the laptop was physically on the network) and recreated his Exchange profile. It worked fine for a few days and now it is doing the same thing. I am seeing the following errors in the security log.

Logon Failure:
       Reason:            Account locked out
       User Name:      <username>
       Domain:      <mydomainname>
       Logon Type:      8
       Logon Process:      Advapi  
       Authentication Package:      Negotiate
       Workstation Name:      Server-EXCH (this is the weird part. this is not his pc name. It is my exchange server name)
       Caller User Name:      Server-EXCH$
       Caller Domain:      <mydomainname>
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 4652
       Transited Services: -
       Source Network Address:      67.223.82.116
       Source Port:      54918

This appears to be a connection through Outlook to the Exchange server issue but I cannot find where it is broke.

Any help would be appreciated

Thanks
gf0326Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

acromentCommented:
Does this user have some 3rd party application that is trying to login and access his exchange account? for example - a vista sidebar gadget that is checking for new emails?
0
gf0326Author Commented:
No. the only thing that was out of the ordinary is originally he was setup to access his email via RPC over HTTP. When I removed his Outlook and Windows profile from the machine I intentionally did not set that back up.
0
JimInLakelandCommented:
If you use a lot of RDP, this user may have an running session on a server with the old credentials.

Use the Microsoft Account Lockout tool to find where the lockout is occuring.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

gf0326Author Commented:
We do use a lot of RDP but I have it set to reset the connections after 1 hour. I verified in Terminal Service Manager he does not have a disconnected session.

I ran the tool and it showed he was locked out. I unlocked and turned on netlogon logging. What else can I or should I do with this tool?
0
Chris HudsonCloud Security ArchitectCommented:
logon type 8 means ,it's network logon which is sending clear text password.The process it's talk about is   "Logon Process:      Advapi"  .It can be a Virus.First scan for advapi virus
http://www.processlibrary.com/directory/files/advapi/

For all accnt lockout issues we should figure out the source who is sending the bad password.Enabling netlogon log will help you to find the source machine

you can use Advapi in ASP scripts to send logon info.

In your domain there is one ASP application which is sending wrong password

Following link explains about Advapi in ASP
http://www.motobit.com/help/scptutl/cm123.htm

0
gf0326Author Commented:
Once I ran the tool there was a connection to the old data server still attempting to sync the 'My Documents' under a different user name. I was able to unlock the account and then delete the old server from sync set on workstation. Thanks for the help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
SBS

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.