Account being locked out ever few minutes

We are using WIndows 03 on a domain, with all the users using XP machines.  On Friday, one of our users changed her password and now something is causing her account to be locked out on the local DC ever few moments.  She's not an outlook user, and other than mapped drives there isn't any other reason we can think of that her PC should be trying to log on to the server so often.  Is there a service or something that uses credentials to talk to the server that I don't know about?
LVL 1
adml_shakeAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Wes MillerIT  SupportCommented:
On her machine from command type:
netsh ras set tracing * enabled
Let her system be until the lock out again occurs then when it does look at the tracing logs found in c:\windows\tracing to see what netwrok activity was occuring during that time when the lock out occurred to find the cuase.
To stop the tracing, from command type:  netsh ras set tracing * disabled
 
wes
0
dexITCommented:
Have you seen any security audit entries in eventvwr for this user?
0
adml_shakeAuthor Commented:
Here is the output I got from running that for a few moments (it didn't take long to disable the account
There was more, but it basically just repeated this over and over.  Thanks for the help.

1692] 11:07:57: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1279
   Local subnet only:      False
[1692] 11:07:57: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1279
[1692] 11:07:57: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:07:57: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1279
   Local subnet only:      False
[1688] 11:08:01: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1280
   Local subnet only:      False
[1688] 11:08:01: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1280
[1688] 11:08:01: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:01: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1280
   Local subnet only:      False
[396] 11:08:02: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1281
   Local subnet only:      False
[396] 11:08:02: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1281
[396] 11:08:02: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:02: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1281
   Local subnet only:      False
[1692] 11:08:07: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1282
   Local subnet only:      False
[1692] 11:08:07: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1282
[1692] 11:08:07: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:07: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1282
   Local subnet only:      False
[1688] 11:08:12: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1283
   Local subnet only:      False
[1688] 11:08:12: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1283
[1688] 11:08:12: FwNotifyOnDeny: Wildcarded UDP port.
[188] 11:08:12: Removing dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1283
   Local subnet only:      False
[396] 11:08:17: Denying dynamic port
   Process ID:             756
   RPC port:               False
   Application name:      
   Process image filename: C:\WINDOWS\system32\lsass.exe
   IP Version:             IPv4
   IP Protocol:            UDP
   Port number:            1284
   Local subnet only:      False
[396] 11:08:17: FwNotifyOnDeny: image = C:\WINDOWS\system32\lsass.exe; proto = UDP; port = 1284
[396] 11:08:17: FwNotifyOnDeny: Wildcarded UDP port.
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

adml_shakeAuthor Commented:
dexIT:

No, I looked in the security logs and the others but didn't see anything
0
Wes MillerIT  SupportCommented:
Looks like lsass.exe is not able to obtain a proper handshake with the server.
That file has been known to be a attacked by viruses so I'd scan her system to make sure it is virus free.  See: http://www.softwarepatch.com/tips/isass.html
Microsoft's Malicious Software Removal Tool can also be installed to remove it: http://support.microsoft.com/kb/890830/
Wes
 
0
Wes MillerIT  SupportCommented:
Also see this link:  http://help.lockergnome.com/windows2/Help-finding-account-lockout-source--ftopict454078.html
Help in finding account lockout source

Solution:
Well I found it by sheer luck and coincidence. One of the techs called
me about an DHCP address reservation and as I was poking around the
server config I looked at the Advanced tab and then the credentials
button. Sure enough there was the offending account. I was having
trouble with Dynamic DNS and used this account to troubleshoot and
forgot all about it; sloppy administration. You would have thought
that somewhere in the logs it would have mentioned DHCP. It was also
why sometimes it would take an hour to lock the account (later in the
day) and sometimes it would lock in 5 minutes (in the morning).
Thanks for trying! Hopefully this will help someone.
 
Hope that helps you, Wes
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.