1 User keeps getting locked out for no apparent reason

I have 1 user that connects to Citrix Presentation Server 4.0 and while he is working in outlook 2003 for about an hour or 2, he all of a sudden sees a prompt asking him to "reconnect to mailserver".  After that, his account is locked out.

No rhyme, no reason for the disabling of his account.  As far as he has told me, he's not doing anything else but sending and receiving emails.

This also happens everyday like clock work and just started happening last week.

The only thing he can think of that he has done differently was log into Citrix from his home (personal) machine which has Windows Vista on it; which shouldn't have done anything.

Let me know if anyone has any ideas about this wierd occurance that's happening.
Who is Participating?

Improve company productivity with a Business Account.Sign Up

Vince GlissonConnect With a Mentor OwnerCommented:
Are there any mapped drives involved?
He probably has a virus/spyware/etc. that is trying to log in as him.

Check the security event logs on your domain controllers to see which machine he's logging in from when he gets locked out.  Then get that machine off of your network until you can clean it or wipe it.
Vince GlissonOwnerCommented:

I have seen this when passwords get out of sync on the different machines the users connects from(work, home, laptop thru vpn, etc...

Ask user if the problem started soon after changing his/her password

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

roadnrailAuthor Commented:
Thanks for the quick replies.  

The machine he's connecting to from home is a new machine; which I don't know if he has AV app on it; but I'll ask.

The machines he's been trying from that our ours has AV on it and is supposed (key word there) to update itself every hour.

I did check his username and password and instructed him to ensure that ALL passwords are the same on each machine he tried to log in with.

He confirmed that they are.

Zelron22, I'll check the event log the next time this happens and let you know what shows up, if anything.
roadnrailAuthor Commented:
Ok, looking at the event log from yesterday, which was the last time it happened.  I see 5 failure audits in the Security log.
3:30 Event ID 672
3:33 Event ID 672
3:33 Event ID 680
3:33 Event ID 680
3:33 Event ID 680

Those 4 in 1 minute are probably what's causing him to be locked out.

Here is the information for 680:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/13/2009
Time:            3:33:21 PM
User:            NT AUTHORITY\SYSTEM
Computer:      RRS-DC1
 Logon account:      DLawshe
 Source Workstation:      BELVIDERE
 Error Code:      0xC0000234
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So it tried logging on 3 times in 8 seconds.  I'll do research on Event ID 680 and see if that opens any doors.
Vince GlissonOwnerCommented:
To be locked out of your account requires that you have the account lockout threshold set in group policy on a windows domain.
In my domain here i have it set so that if you have 3 unsuccessful login attempts then your locked out until i reset it...
This occurs no matter if its the user trying to logon or a system service trying to log on, i suspect that the service that is trying to logon has a bad password cached somewhere and that is the reason the errors begin to popup.
im still leaning towards a password sync problem..
The source computer BELVIDERE should be the problem computer.
roadnrailAuthor Commented:
I told him to ensure his username AND password were the same on every machine he logs into.  He said he would ,ake sure they were the same and let me know.

Thanks for the quick replies.
roadnrailAuthor Commented:
New information.  Last night he got to his hotel and reset his password to be that which he uses for Citrix.  He was able to be on all night without issue.  He turned it on this morning and worked for a few hours and then logged off and went to another location.

He opened Outlook Web Access and tried logging in and was locked out.  He didn't access anything on the local machine other than the IE browser.

Any ideas on this one?
Vince GlissonOwnerCommented:
Win Account Locked-Out Several Times a Day

Failure Events Are Logged When the Welcome Screen Is Enabled
(i wasn't sure if the laptop is his or the companies, if personal then login process could be welcome screen and not crt-alt-del)
Account Lockout Tool (this is great tool...)
Are there any services that run under his user account that would need to be changed explicitly?
The possibility exists that someone is attempting to login as that user unsuccessfully and locking the account that way.
You could try increasing the number of failed login attempts to see if the problem still pops up.
Is a VPN connection involved?

This is an interesting one...
On his/her computer, go to control pannel>>Users>>advanced tab>>managed passwords and see if there is an old saved password there for outlook logons.
roadnrailAuthor Commented:
I think I may have figured it out.

Yes, there is a mapped drive involved.  But I think the issue is this.

We setup an acount for this user on the Belvidere PC.  Then shipped it out to that location and another "tech savvy" person created an account for the terminal manager when he was hired.  The problem is that there never was an account created.

The "tech savvy" person renamed the main account for the original user to the name of the new user, without creating a new account for the new user; which we told them to do.

Mapping a network drive as new user, when the username and password are for a different user causes stuff like this all the time.

I just renamed the old users account, disconnected the mapped drive and created a new account for the new terminal manager and ensured his passwords in AD and on the local machine were set to the same thing.

I think we have pin pointed the cause; but I'll let it run until Tuesday and see if it has indeed been resolved.  Thanks for everyone's help.
Vince GlissonOwnerCommented:
yep mapped drives with the reconnect at logon checked can cause alot of trouble, as they save the old password and try to use it to login, 1 2 3 your locked out...
Seems like you did a great job trouble shooting this one roadnrail, give yourself some points...
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.