Unknown login attempts, locking domain account

Posted on 2009-05-01
Last Modified: 2013-12-04
My domain account keeps getting locked.  We have verified someone/thing is trying to login with my account, but the password is incorrect.  I get locked out of my account several times a day.  What tools/resources are available to see who/what is trying to login.
Question by:JamesC_LaFrance
    LVL 15

    Assisted Solution

    Check the domain controllers security logs for failed logon events, and you should see in the event what machine the logons are coming from.  

    If you set up a script or service to use your account to run and recently changed your password, that would be why this is happening.
    LVL 14

    Expert Comment

    Look at the security log on one of the domain controllers.  This will give you the station that attempted to log on.

    If you have external access, look at the firewall logs to determine the IP addresses of people logging in.  This can get complex very quickly though.

    Could simply be an "oops" thing too if you move around from machine to machine a lot.  Maybe somebody behind you is typing in their password and forgetting to change the username.  Belive it or not, I have seen users repeat this same action several times before they finally give up or clue in that the username is wrong!  The easy solution here is to change security policy so that the last users name is cleared out instead of remembered.
    LVL 38

    Expert Comment

    by:Hypercat (Deb)
    A couple of simple things you can check, if you haven't already:
    1.  Are there any services either on your workstation or on a server or device somewhere that are using your login as the service account?
    2.  Do you have a mobile device that is using your account credentials to log on and synchronize email?
    3.  Change your user login name, as well as your password.  That would prevent your account from getting locked out. Then, you can check on your server security logs, provided you have login failure auditing set up, and see when and what devices are trying to log in using the old, now invalid, user name.
    LVL 3

    Expert Comment

    I usually find that a stale terminal services session or leaving your account logged into a server and changing your password can cause this.

    As far as a tool, I find eventcomb works quite well.  Run this against your domain controller and it will pull where your account is getting locked out from.

    Eventcomb is part of the 2003 resource kit.

    Accepted Solution

    We found Exchange server and PDC got out of sync for some reason.  Forced change of password from PDC and that corrected problem.

    Author Comment


    Author Comment


    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    Suggested Solutions

    Title # Comments Views Activity
    Monitoring software... 2 30
    Exchange 2007 13 18
    Bios changes 5 23
    Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
    Learn about cloud computing and its benefits for small business owners.
    This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    24 Experts available now in Live!

    Get 1:1 Help Now