digitalandy
asked on
Account Lockouts - No explanation
Hi,
We've been having a problem with one especific user whose AD account keeps getting locked out for apparent no reason:
- User is not an admin
- User has no access to terminal servers/remote desktops/etc
- We use a proxy.pac that requires no authentication, etc.
This user gets locked out about 10 times every day, sometimes even more. And most of times she is not even by her PC with no apps open at all.
What I have tried:
- Recreated User Profile
- Rebuilt PC using a vanilla Image
- My last task was completely deleting her account from AD - including mailbox - and creating a different logon account with same email address (but new mailbox with imported emails) - but it is still getting locked out.
Any help? I must confess I am running out of ideas ...
Many Thanks!!!!!!
We've been having a problem with one especific user whose AD account keeps getting locked out for apparent no reason:
- User is not an admin
- User has no access to terminal servers/remote desktops/etc
- We use a proxy.pac that requires no authentication, etc.
This user gets locked out about 10 times every day, sometimes even more. And most of times she is not even by her PC with no apps open at all.
What I have tried:
- Recreated User Profile
- Rebuilt PC using a vanilla Image
- My last task was completely deleting her account from AD - including mailbox - and creating a different logon account with same email address (but new mailbox with imported emails) - but it is still getting locked out.
Any help? I must confess I am running out of ideas ...
Many Thanks!!!!!!
This articles might be useful to you:
http://technet.microsoft.com/en-us/windowsserver/cc730383.aspx
http://technet.microsoft.com/en-us/windowsserver/cc730383.aspx
Does the user have a PDA/Cellphone/Blackberry with access to exchange or OWA? If the password is not set correctly on this device and push email is set to always on or at least regular intervals, the account will lock out in the manner that you are describing.
These devices are often overlooked.
These devices are often overlooked.
ASKER
Guys,
thank you so much for your help ... I enabled the settings required but the values that I get from the debug log file seem rather different from the ones quotes in the article ...
Any help?
Blue8: User has no Blackberry/Iphone or any other device with push capabilities.
thank you so much for your help ... I enabled the settings required but the values that I get from the debug log file seem rather different from the ones quotes in the article ...
Any help?
Blue8: User has no Blackberry/Iphone or any other device with push capabilities.
the problem is in the computer, format the damn computer
Have you looked in the security log for the user to see from what system she is getting locked out from?
Please post the log file so we can see what is happening
ASKER
Hi ! Thanks again !
I am adding th entries generated by the log file .. those entries match exactly the time the user got locked out. Please note I only renamed to XXX confidential data related to our network.
Many thanks !!!
Robert
log.txt
I am adding th entries generated by the log file .. those entries match exactly the time the user got locked out. Please note I only renamed to XXX confidential data related to our network.
Many thanks !!!
Robert
log.txt
I was hoping for the security logs from the domain controller to show error numbers and other useful info. Something like the following:
Log Name: Security
Source: Microsoft-Windows-Security -Auditing
Date: 9/25/2009 10:26:29 AM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: <computer name>
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: <account name>
Account Domain: <Domain name>
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-0 0000000000 0}
Account Whose Credentials Were Used:
Account Name: <account name>
Account Domain: <Domain name>
Logon GUID: {7b373f26-aec9-df83-9c81-a 9dc163ea9b 9}
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x308
Process Name: C:\Windows\System32\lsass. exe
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se curity-Aud iting" Guid="{54849625-5478-4994- a5ba-3e3b0 328c30d}" />
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000 00</Keywor ds>
<TimeCreated SystemTime="2009-09-25T16: 26:29.851Z " />
<EventRecordID>28776989</E ventRecord ID>
<Correlation />
<Execution ProcessID="776" ThreadID="7432" />
<Channel>Security</Channel >
<Computer><computer name></Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1- 5-18</Data >
<Data Name="SubjectUserName"><ac count name></Data>
<Data Name="SubjectDomainName">< Domain name></Data>
<Data Name="SubjectLogonId">0x3e 7</Data>
<Data Name="LogonGuid">{00000000 -0000-0000 -0000-0000 00000000}< /Data>
<Data Name="TargetUserName"><acc ount name></Data>
<Data Name="TargetDomainName"><D omain name></Data>
<Data Name="LogonGuid">{7B373F26 -AEC9-DF83 -9C81-A9DC 163EA9B9}< /Data>
<Data Name="TargetServerName">lo calhost</D ata>
<Data Name="TargetInfo">localhos t</Data>
<Data Name="ProcessId">0x308</Da ta>
<Data Name="ProcessName">C:\Wind ows\System 32\lsass.e xe</Data>
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
Log Name: Security
Source: Microsoft-Windows-Security
Date: 9/25/2009 10:26:29 AM
Event ID: 4648
Task Category: Logon
Level: Information
Keywords: Audit Success
User: N/A
Computer: <computer name>
Description:
A logon was attempted using explicit credentials.
Subject:
Security ID: SYSTEM
Account Name: <account name>
Account Domain: <Domain name>
Logon ID: 0x3e7
Logon GUID: {00000000-0000-0000-0000-0
Account Whose Credentials Were Used:
Account Name: <account name>
Account Domain: <Domain name>
Logon GUID: {7b373f26-aec9-df83-9c81-a
Target Server:
Target Server Name: localhost
Additional Information: localhost
Process Information:
Process ID: 0x308
Process Name: C:\Windows\System32\lsass.
Network Information:
Network Address: -
Port: -
This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials. This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Se
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x80200000000000
<TimeCreated SystemTime="2009-09-25T16:
<EventRecordID>28776989</E
<Correlation />
<Execution ProcessID="776" ThreadID="7432" />
<Channel>Security</Channel
<Computer><computer name></Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-
<Data Name="SubjectUserName"><ac
<Data Name="SubjectDomainName"><
<Data Name="SubjectLogonId">0x3e
<Data Name="LogonGuid">{00000000
<Data Name="TargetUserName"><acc
<Data Name="TargetDomainName"><D
<Data Name="LogonGuid">{7B373F26
<Data Name="TargetServerName">lo
<Data Name="TargetInfo">localhos
<Data Name="ProcessId">0x308</Da
<Data Name="ProcessName">C:\Wind
<Data Name="IpAddress">-</Data>
<Data Name="IpPort">-</Data>
</EventData>
</Event>
I'd turn on USERENV debugging on a client where the logout issue is and see what comes up there. Create a registry key "HKLM\Software\Microsoft\W indows NT\CurrentVersion\Diagnost ics" and under that key, add a REG_DWORD value "RunDiagnosticLoggingGloba l" set to 1. That'll throw massive USERENV logging information into the event log. Set that, then bounce the machine with a "gpupdate /sync /boot" and have a look. ( I'm assuming you've set "Always wait for the network at computer startup and logon" to "Enabled" already.)
Then post the results
Then post the results
@avcompinc:
I think the 1st problem here is that we don't know where the problem is originating. Getting the logs from the DC will show where the connection attempt is being made.
I think the 1st problem here is that we don't know where the problem is originating. Getting the logs from the DC will show where the connection attempt is being made.
true pand0ra usa, both would narrow the event down. From the netlogin debug could be a possible cache issue on the DC ( he has made several changes in a short period of time on the local pc and user accounts on the DC) but did not want to make that assumption without further evidence. Flushing the cache takes a bit of time to recoup from and didn't want to cause unnecessary lag do to one machine. Both the security log from the DC and UNSERENV debug from the local user computer would greatly enhance the trouble shooting.
ASKER
Hi Guys,
once again, the user logged on when coming back from lunch and her machine account got locked out totaly unbeknownst to her - she didn't realise because she was working on an Excel Spreadsheet ... I couldn't help noticing that she is connected to two replicated DCs at the same time: one of them is the DC which we use for our voicemail systems - but again - so is everyone else and they don't get locked out that often.
I am sending the logs from the DC.
Again, thank you very much guys - I am learning a lot about this from here !
RW
Lockout.JPG
once again, the user logged on when coming back from lunch and her machine account got locked out totaly unbeknownst to her - she didn't realise because she was working on an Excel Spreadsheet ... I couldn't help noticing that she is connected to two replicated DCs at the same time: one of them is the DC which we use for our voicemail systems - but again - so is everyone else and they don't get locked out that often.
I am sending the logs from the DC.
Again, thank you very much guys - I am learning a lot about this from here !
RW
Lockout.JPG
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Sorry guys,
I've been out on a course and I didn't have time to look the posts here ... I will get back to you as soon as I return this coming Monday.
RW
I've been out on a course and I didn't have time to look the posts here ... I will get back to you as soon as I return this coming Monday.
RW
ASKER
It turns out user had a process running from her local PC using her credentials ... From the tips I got from the user I was able to check the log and then, find out which process was causing the system to lock the user out.
http://support.microsoft.com/kb/109626
The above step will help us in identifying the problem. One of the biggest reson for that is always some kind of application which tried to use the changed password and locks it after 5 unsuccessful attempts, that could be time sych application or a network share or mail application. We will have to isolate that by running the debug logging.