Unknown login attempts, locking domain account

Posted on 2009-05-01
Medium Priority
Last Modified: 2013-12-04
My domain account keeps getting locked.  We have verified someone/thing is trying to login with my account, but the password is incorrect.  I get locked out of my account several times a day.  What tools/resources are available to see who/what is trying to login.
Question by:JamesC_LaFrance
LVL 15

Assisted Solution

zelron22 earned 80 total points
ID: 24280448
Check the domain controllers security logs for failed logon events, and you should see in the event what machine the logons are coming from.  

If you set up a script or service to use your account to run and recently changed your password, that would be why this is happening.
LVL 14

Expert Comment

ID: 24280454
Look at the security log on one of the domain controllers.  This will give you the station that attempted to log on.

If you have external access, look at the firewall logs to determine the IP addresses of people logging in.  This can get complex very quickly though.

Could simply be an "oops" thing too if you move around from machine to machine a lot.  Maybe somebody behind you is typing in their password and forgetting to change the username.  Belive it or not, I have seen users repeat this same action several times before they finally give up or clue in that the username is wrong!  The easy solution here is to change security policy so that the last users name is cleared out instead of remembered.
LVL 38

Expert Comment

by:Hypercat (Deb)
ID: 24280513
A couple of simple things you can check, if you haven't already:
1.  Are there any services either on your workstation or on a server or device somewhere that are using your login as the service account?
2.  Do you have a mobile device that is using your account credentials to log on and synchronize email?
3.  Change your user login name, as well as your password.  That would prevent your account from getting locked out. Then, you can check on your server security logs, provided you have login failure auditing set up, and see when and what devices are trying to log in using the old, now invalid, user name.
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.


Expert Comment

ID: 24280683
I usually find that a stale terminal services session or leaving your account logged into a server and changing your password can cause this.

As far as a tool, I find eventcomb works quite well.  Run this against your domain controller and it will pull where your account is getting locked out from.


Eventcomb is part of the 2003 resource kit.

Accepted Solution

JamesC_LaFrance earned 0 total points
ID: 24398009
We found Exchange server and PDC got out of sync for some reason.  Forced change of password from PDC and that corrected problem.

Author Comment

ID: 24398033

Author Comment

ID: 24398037

Featured Post

What Security Threats Are We Predicting for 2018?

Cryptocurrency, IoT botnets, MFA, and more! Hackers are already planning their next big attacks for 2018. Learn what you might face, and how to defend against it with our 2018 security predictions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question