Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

1 User keeps getting locked out for no apparent reason

Posted on 2009-04-14
13
Medium Priority
?
880 Views
Last Modified: 2012-05-06
I have 1 user that connects to Citrix Presentation Server 4.0 and while he is working in outlook 2003 for about an hour or 2, he all of a sudden sees a prompt asking him to "reconnect to mailserver".  After that, his account is locked out.

No rhyme, no reason for the disabling of his account.  As far as he has told me, he's not doing anything else but sending and receiving emails.

This also happens everyday like clock work and just started happening last week.

The only thing he can think of that he has done differently was log into Citrix from his home (personal) machine which has Windows Vista on it; which shouldn't have done anything.

Let me know if anyone has any ideas about this wierd occurance that's happening.
0
Comment
Question by:roadnrail
  • 5
  • 5
  • 2
  • +1
13 Comments
 
LVL 15

Expert Comment

by:zelron22
ID: 24139473
He probably has a virus/spyware/etc. that is trying to log in as him.

Check the security event logs on your domain controllers to see which machine he's logging in from when he gets locked out.  Then get that machine off of your network until you can clean it or wipe it.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24139717

I have seen this when passwords get out of sync on the different machines the users connects from(work, home, laptop thru vpn, etc...

Ask user if the problem started soon after changing his/her password

mesavince
0
 

Author Comment

by:roadnrail
ID: 24140104
Thanks for the quick replies.  

The machine he's connecting to from home is a new machine; which I don't know if he has AV app on it; but I'll ask.

The machines he's been trying from that our ours has AV on it and is supposed (key word there) to update itself every hour.

I did check his username and password and instructed him to ensure that ALL passwords are the same on each machine he tried to log in with.

He confirmed that they are.

Zelron22, I'll check the event log the next time this happens and let you know what shows up, if anything.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:roadnrail
ID: 24140208
Ok, looking at the event log from yesterday, which was the last time it happened.  I see 5 failure audits in the Security log.
3:30 Event ID 672
3:33 Event ID 672
3:33 Event ID 680
3:33 Event ID 680
3:33 Event ID 680

Those 4 in 1 minute are probably what's causing him to be locked out.

Here is the information for 680:
Event Type:      Failure Audit
Event Source:      Security
Event Category:      Account Logon
Event ID:      680
Date:            4/13/2009
Time:            3:33:21 PM
User:            NT AUTHORITY\SYSTEM
Computer:      RRS-DC1
Description:
Logon attempt by:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
 Logon account:      DLawshe
 Source Workstation:      BELVIDERE
 Error Code:      0xC0000234
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

So it tried logging on 3 times in 8 seconds.  I'll do research on Event ID 680 and see if that opens any doors.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24140394
To be locked out of your account requires that you have the account lockout threshold set in group policy on a windows domain.
In my domain here i have it set so that if you have 3 unsuccessful login attempts then your locked out until i reset it...
This occurs no matter if its the user trying to logon or a system service trying to log on, i suspect that the service that is trying to logon has a bad password cached somewhere and that is the reason the errors begin to popup.
im still leaning towards a password sync problem..
0
 
LVL 15

Expert Comment

by:zelron22
ID: 24141539
The source computer BELVIDERE should be the problem computer.
0
 

Author Comment

by:roadnrail
ID: 24142216
I told him to ensure his username AND password were the same on every machine he logs into.  He said he would ,ake sure they were the same and let me know.

Thanks for the quick replies.
0
 

Author Comment

by:roadnrail
ID: 24147537
New information.  Last night he got to his hotel and reset his password to be that which he uses for Citrix.  He was able to be on all night without issue.  He turned it on this morning and worked for a few hours and then logged off and went to another location.

He opened Outlook Web Access and tried logging in and was locked out.  He didn't access anything on the local machine other than the IE browser.

Any ideas on this one?
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24148651
Win Account Locked-Out Several Times a Day
http://www.experts-exchange.com/Networking/Misc/Q_21638672.html

Failure Events Are Logged When the Welcome Screen Is Enabled
(i wasn't sure if the laptop is his or the companies, if personal then login process could be welcome screen and not crt-alt-del)
http://support.microsoft.com/kb/q305822/
Account Lockout Tool (this is great tool...)
http://technet.microsoft.com/en-us/library/cc738772.aspx
Are there any services that run under his user account that would need to be changed explicitly?
The possibility exists that someone is attempting to login as that user unsuccessfully and locking the account that way.
You could try increasing the number of failed login attempts to see if the problem still pops up.
Is a VPN connection involved?

This is an interesting one...
0
 
LVL 39

Expert Comment

by:ChiefIT
ID: 24165185
On his/her computer, go to control pannel>>Users>>advanced tab>>managed passwords and see if there is an old saved password there for outlook logons.
0
 
LVL 10

Accepted Solution

by:
Vince Glisson earned 2000 total points
ID: 24165207
Are there any mapped drives involved?
 
0
 

Author Comment

by:roadnrail
ID: 24169024
I think I may have figured it out.

Yes, there is a mapped drive involved.  But I think the issue is this.

We setup an acount for this user on the Belvidere PC.  Then shipped it out to that location and another "tech savvy" person created an account for the terminal manager when he was hired.  The problem is that there never was an account created.

The "tech savvy" person renamed the main account for the original user to the name of the new user, without creating a new account for the new user; which we told them to do.

Mapping a network drive as new user, when the username and password are for a different user causes stuff like this all the time.

I just renamed the old users account, disconnected the mapped drive and created a new account for the new terminal manager and ensured his passwords in AD and on the local machine were set to the same thing.

I think we have pin pointed the cause; but I'll let it run until Tuesday and see if it has indeed been resolved.  Thanks for everyone's help.
0
 
LVL 10

Expert Comment

by:Vince Glisson
ID: 24171426
yep mapped drives with the reconnect at logon checked can cause alot of trouble, as they save the old password and try to use it to login, 1 2 3 your locked out...
Seems like you did a great job trouble shooting this one roadnrail, give yourself some points...
 
0

Featured Post

Keep up with what's happening at Experts Exchange!

Sign up to receive Decoded, a new monthly digest with product updates, feature release info, continuing education opportunities, and more.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question