Solved

1 User keeps getting locked out for no apparent reason

Posted on 2009-04-14
13
866 Views
Last Modified: 2012-05-06
I have 1 user that connects to Citrix Presentation Server 4.0 and while he is working in outlook 2003 for about an hour or 2, he all of a sudden sees a prompt asking him to "reconnect to mailserver".  After that, his account is locked out.

No rhyme, no reason for the disabling of his account.  As far as he has told me, he's not doing anything else but sending and receiving emails.

This also happens everyday like clock work and just started happening last week.

The only thing he can think of that he has done differently was log into Citrix from his home (personal) machine which has Windows Vista on it; which shouldn't have done anything.

Let me know if anyone has any ideas about this wierd occurance that's happening.
0
Comment
Question by:roadnrail
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24139473
He probably has a virus/spyware/etc. that is trying to log in as him.

Check the security event logs on your domain controllers to see which machine he's logging in from when he gets locked out.  Then get that machine off of your network until you can clean it or wipe it.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24139717

I have seen this when passwords get out of sync on the different machines the users connects from(work, home, laptop thru vpn, etc...

Ask user if the problem started soon after changing his/her password

mesavince
0
 

Author Comment

by:roadnrail
ID: 24140104
Thanks for the quick replies.  

The machine he's connecting to from home is a new machine; which I don't know if he has AV app on it; but I'll ask.

The machines he's been trying from that our ours has AV on it and is supposed (key word there) to update itself every hour.

I did check his username and password and instructed him to ensure that ALL passwords are the same on each machine he tried to log in with.

He confirmed that they are.

Zelron22, I'll check the event log the next time this happens and let you know what shows up, if anything.
0
 

Author Comment

by:roadnrail
ID: 24140208
Ok, looking at the event log from yesterday, which was the last time it happened.  I see 5 failure audits in the Security log.
3:30 Event ID 672
3:33 Event ID 672
3:33 Event ID 680
3:33 Event ID 680
3:33 Event ID 680

Those 4 in 1 minute are probably what's causing him to be locked out.

Here is the information for 680:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/13/2009
Time:            3:33:21 PM
User:            NT AUTHORITY\SYSTEM
Computer:      RRS-DC1
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      DLawshe
 Source Workstation:      BELVIDERE
 Error Code:      0xC0000234
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So it tried logging on 3 times in 8 seconds.  I'll do research on Event ID 680 and see if that opens any doors.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24140394
To be locked out of your account requires that you have the account lockout threshold set in group policy on a windows domain.
In my domain here i have it set so that if you have 3 unsuccessful login attempts then your locked out until i reset it...
This occurs no matter if its the user trying to logon or a system service trying to log on, i suspect that the service that is trying to logon has a bad password cached somewhere and that is the reason the errors begin to popup.
im still leaning towards a password sync problem..
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24141539
The source computer BELVIDERE should be the problem computer.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:roadnrail
ID: 24142216
I told him to ensure his username AND password were the same on every machine he logs into.  He said he would ,ake sure they were the same and let me know.

Thanks for the quick replies.
0
 

Author Comment

by:roadnrail
ID: 24147537
New information.  Last night he got to his hotel and reset his password to be that which he uses for Citrix.  He was able to be on all night without issue.  He turned it on this morning and worked for a few hours and then logged off and went to another location.

He opened Outlook Web Access and tried logging in and was locked out.  He didn't access anything on the local machine other than the IE browser.

Any ideas on this one?
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24148651
Win Account Locked-Out Several Times a Day
http://www.experts-exchange.com/Networking/Misc/Q_21638672.html

Failure Events Are Logged When the Welcome Screen Is Enabled
(i wasn't sure if the laptop is his or the companies, if personal then login process could be welcome screen and not crt-alt-del)
http://support.microsoft.com/kb/q305822/
Account Lockout Tool (this is great tool...)
http://technet.microsoft.com/en-us/library/cc738772.aspx
Are there any services that run under his user account that would need to be changed explicitly?
The possibility exists that someone is attempting to login as that user unsuccessfully and locking the account that way.
You could try increasing the number of failed login attempts to see if the problem still pops up.
Is a VPN connection involved?

This is an interesting one...
0
 
LVL 38

Expert Comment

by:ChiefIT
ID: 24165185
On his/her computer, go to control pannel>>Users>>advanced tab>>managed passwords and see if there is an old saved password there for outlook logons.
0
 
LVL 10

Accepted Solution

by:
Vince Glisson earned 500 total points
ID: 24165207
Are there any mapped drives involved?
 
0
 

Author Comment

by:roadnrail
ID: 24169024
I think I may have figured it out.

Yes, there is a mapped drive involved.  But I think the issue is this.

We setup an acount for this user on the Belvidere PC.  Then shipped it out to that location and another "tech savvy" person created an account for the terminal manager when he was hired.  The problem is that there never was an account created.

The "tech savvy" person renamed the main account for the original user to the name of the new user, without creating a new account for the new user; which we told them to do.

Mapping a network drive as new user, when the username and password are for a different user causes stuff like this all the time.

I just renamed the old users account, disconnected the mapped drive and created a new account for the new terminal manager and ensured his passwords in AD and on the local machine were set to the same thing.

I think we have pin pointed the cause; but I'll let it run until Tuesday and see if it has indeed been resolved.  Thanks for everyone's help.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24171426
yep mapped drives with the reconnect at logon checked can cause alot of trouble, as they save the old password and try to use it to login, 1 2 3 your locked out...
Seems like you did a great job trouble shooting this one roadnrail, give yourself some points...
 
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

#Citrix #Citrix Netscaler #HTTP Compression #Load Balance
Synchronize a new Active Directory domain with an existing Office 365 tenant
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now