User frequently locked out of active directory for no apparent reason

We just converted to active directory and are NEW to microsoft (formerly NetWare).  
We have one user who is frequently getting locked (every 5 minutes or so).
Please, does someone have ANY idea where to find the cause?

Thank you in advance
spccuAsked:
Who is Participating?
 
twinvegaCommented:
Enable account audit on failure and it may give you some better insight.
0
 
Alan HardistyCo-OwnerCommented:
It may be down to a drive mapping passing the incorrect credentials or some software passing the password regularly.
Are there any drives mapped?  If so - delete all drive mappings and see if the problems go away.  If the problem goes away, remap the drive through DOS using the following syntax:
net use x: \\server\share /user:domain\username password /persistent:yes (change the relevant pasrt - server - share - domain - username - password)
Is there are software running when the lockouts occur?  If so, close them down one at a time until the problem goes away.  The last one closed will be causing the problems.
0
 
Mike KlineCommented:
Does he have any services using his account?  Is it only one user that this is happening to?


You can use some microsoft tools (account lockout and mgmt tools) to try and figure out where the offending machine/service is.  Good article on that here

http://blogs.technet.com/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Some third party programs can also help  

http://www.netwrix.com/account_lockout_examiner.html


Thanks

Mike
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
russell124Commented:
Download the Eventcombmt utility from Microsoft:
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Run the .exe, point it to your Domain Controller, and under "Searches" select the "Account Lockout" search, and this will search the security logs for any account lockout events.  In this log file, it should also show what computer generated the account lockout, so you can start to pinpoint where the issue is occurring.  You can also see the account lockout events in the Security Log on the DC, but the event comb utility makes it much easier.

Some common culprits of issues like this are mapped drives with manually specified credentials, old cached passwords, incorrect or cached proxy credentials, and a service that is running as a user.

If you want to check and clear any potential cached passwords on a workstation, see the following link:
http://www.technize.com/how-to-delete-remembered-network-passwords-in-windows/

0
 
oztrodamusCommented:
This is just an idea but I've seen mysterious lockout issues such as this regarding Outlook and Exchange. I don't know if you use Outlook in your environment, but your zones list Exchange so I'm assuming you do. Make sure your PC CMOS clock is set properly and make sure the Windows clock is in sync with the domain controller. What I believe might be happening is as Outlook passes the authentication credentials to the domain controller they are getting rejected, because of a time sync issue thus locking the user out, because of too many failed attempts.
0
 
vmwarun - ArunCommented:
I experienced this issue once and the culprit was a malware sitting on the User's Workstation that was trying to automate logging into the Domain Controller.
I remove the malware using security software and the issue was finally resolved.
I suggest that you try to keep your Windows Patch Levels (atleast critical patches) up-to-date to prevent such issues.
0
 
spccuAuthor Commented:
I have enabled "Audit account logon events" for failed events.  Below are the most common failed events:
Event Id 4776
Error Code - 0xc000006a and 0xc0000234
Computer - Exchange Server
User = User that is constantly locked out.
Also seeing
Event Id 4769
Computer - Domain Controller
Service - KRBTGT
Service ID - Null SID
Ticket Options:   0x60810010
Failure Code:      0xe
I'm not sure if the second event is related to the first event or not - however when one is logged the other is logged as well so it seems as if they are related in some way.  Any ideas?  Thanks for the responses.
0
 
oztrodamusCommented:
Event Id 4776
0xc000006a - Indicates incorrect password being used
0xc0000234 - Means user is locked out

Event Id 4769
0xe - Means KDC has no support for encryption type

Sounds like the Workstation the user is using is trying to default to an encryption type not support by Windows and thus the DC is locking the user out. Look for any NetWare Client software that may exist that workstation and uninstall it.
0
 
spccuAuthor Commented:
Using the audit account logon feature and the Account Lockout Tools we were able to determine the machine causing the account lockout.  From there we determined that a service was attempting to connect to the exchange server - this service is no longer needed - once we disabled the service the specific user account is no longer beiing locked out.
0
 
Mike KlineCommented:
great work tracking it down!!
0
 
oztrodamusCommented:
What was the actual cause for the lock out?
0
 
spccuAuthor Commented:
The service in question was being used as a middle man between our groupwise mail server and mobile devices to send/receive mail and initially it was setup to work with Exchange following our conversion.  We are now using the Activesync service builtin to Exchange to synch up the mobile devices and did not turn off the service for the user which was having the problem.  So this service was attempting to connect to the Exchange server with old password for this user and our password policy was locking the account after the specified number of attempts had been reached.   I appreciate all the responses - we were spinning our wheels for several days on this one.  
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.