Link to home
Start Free TrialLog in
Avatar of digitalandy
digitalandyFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Account Lockouts - No explanation

Hi,

We've been having a problem with one especific user whose AD account keeps getting locked out for apparent no reason:

 - User is not an admin
 - User has no access to terminal servers/remote desktops/etc
 - We use a proxy.pac that requires no authentication, etc.

This user gets locked out about 10 times every day, sometimes even more. And most of times she is not even by her PC with no apps open at all.

What I have tried:

- Recreated User Profile
- Rebuilt PC using a vanilla Image
- My last task was completely deleting her account from AD - including mailbox - and creating a different logon account with same email address (but new mailbox with imported emails) - but it is still getting locked out.

Any help? I must confess I am running out of ideas ...

Many Thanks!!!!!!
Avatar of amit_gokharu
amit_gokharu
Flag of United Kingdom of Great Britain and Northern Ireland image

First of all Enable debug logging for Net Logon service. Use the following KB to bounce up the logging:

http://support.microsoft.com/kb/109626

The above step will help us in identifying the problem. One of the biggest reson for that is always some kind of application which tried to use the changed password and locks it after 5 unsuccessful attempts, that could be time sych application or a network share or mail application. We will have to isolate that by running the debug logging.
Avatar of Blue8
Blue8

Does the user have a PDA/Cellphone/Blackberry with access to exchange or OWA? If the password is not set correctly on this device and push email is set to always on or at least regular intervals, the account will lock out in the manner that you are describing.

These devices are often overlooked.
Avatar of digitalandy

ASKER

Guys,

thank you so much for your help ... I enabled the settings required but the values that I get from the debug log file seem rather different from the ones quotes in the article ...

Any help?

Blue8: User has no Blackberry/Iphone or any other device with push capabilities.

the problem is in the computer, format the damn computer
Have you looked in the security log for the user to see from what system she is getting locked out from?
Please post the log file so we can see what is happening
Hi ! Thanks again !

I am adding th entries generated by the log file .. those entries match exactly the time the user got locked out. Please note I only renamed to XXX confidential data related to our network.

Many thanks !!!

Robert


log.txt
I was hoping for the security logs from the domain controller to show error numbers and other useful info. Something like the following:


Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          9/25/2009 10:26:29 AM
Event ID:      4648
Task Category: Logon
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      <computer name>
Description:
A logon was attempted using explicit credentials.

Subject:
    Security ID:        SYSTEM
    Account Name:        <account name>
    Account Domain:        <Domain name>
    Logon ID:        0x3e7
    Logon GUID:        {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
    Account Name:        <account name>
    Account Domain:        <Domain name>
    Logon GUID:        {7b373f26-aec9-df83-9c81-a9dc163ea9b9}

Target Server:
    Target Server Name:    localhost
    Additional Information:    localhost

Process Information:
    Process ID:        0x308
    Process Name:        C:\Windows\System32\lsass.exe

Network Information:
    Network Address:    -
    Port:            -

This event is generated when a process attempts to log on an account by explicitly specifying that accounts credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
    <EventID>4648</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12544</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8020000000000000</Keywords>
    <TimeCreated SystemTime="2009-09-25T16:26:29.851Z" />
    <EventRecordID>28776989</EventRecordID>
    <Correlation />
    <Execution ProcessID="776" ThreadID="7432" />
    <Channel>Security</Channel>
    <Computer><computer name></Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName"><account name></Data>
    <Data Name="SubjectDomainName"><Domain name></Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
    <Data Name="TargetUserName"><account name></Data>
    <Data Name="TargetDomainName"><Domain name></Data>
    <Data Name="LogonGuid">{7B373F26-AEC9-DF83-9C81-A9DC163EA9B9}</Data>
    <Data Name="TargetServerName">localhost</Data>
    <Data Name="TargetInfo">localhost</Data>
    <Data Name="ProcessId">0x308</Data>
    <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
    <Data Name="IpAddress">-</Data>
    <Data Name="IpPort">-</Data>
  </EventData>
</Event>
I'd turn on USERENV debugging on a client where the logout issue is and see what comes up there. Create a registry key "HKLM\Software\Microsoft\Windows NT\CurrentVersion\Diagnostics" and under that key, add a REG_DWORD value "RunDiagnosticLoggingGlobal" set to 1. That'll throw massive USERENV logging information into the event log. Set that, then bounce the machine with a "gpupdate /sync /boot" and have a look. ( I'm assuming you've set "Always wait for the network at computer startup and logon" to "Enabled" already.)

Then post the results
@avcompinc:
I think the 1st problem here is that we don't know where the problem is originating. Getting the logs from the DC will show where the connection attempt is being made.
true pand0ra usa, both would narrow the event down. From the netlogin debug could be a possible cache issue on the DC ( he has made several changes in a short period of time on the local pc and user accounts on the DC) but did not want to make that assumption without further evidence. Flushing the cache takes a bit of time to recoup from and didn't want to cause unnecessary lag do to one machine. Both the security log from the DC and UNSERENV debug from the local user computer would greatly enhance the trouble shooting.
Hi Guys,

once again, the user logged on when coming back from lunch and her machine account got locked out totaly unbeknownst to her - she didn't realise because she was working on an Excel Spreadsheet ... I couldn't help noticing that she is connected to two replicated DCs at the same time: one of them is the DC which we use for our voicemail systems - but again - so is everyone else and they don't get locked out that often.

I am sending the logs from the DC.

Again, thank you very much guys - I am learning a lot about this from here !

RW
Lockout.JPG
ASKER CERTIFIED SOLUTION
Avatar of pand0ra_usa
pand0ra_usa
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Sorry guys,

I've been out on a course and I didn't have time to look the posts here ... I will get back to you as soon as I return this coming Monday.

RW
It turns out user had a process running from her local PC using her credentials ... From the tips I got from the user I was able to check the log and then, find out which process was causing the system to lock the user out.