AD user account lockouts
Posted on 2010-08-24
Windows 2003 DC's (2)
Recently, we 've had a few users that have had their user accounts locked out. currently, I'm looking at an account that is locked out, the user is not in the building or working remotely, and his PC is shut down. As soon as I un-lock his account, it is immediately locking out again. I'm using the Lockoutstatus.exe tool, and can see the bad password count increase to five (our limit). It shows as locked out on both DC's, but only one DC is showing the bad password count.
I've looked at the security event viewer logs, but I'm not sure what I'm seeing. I see the eventID 644 where the account is locked out with the caller machine name of \\NTscan. What does that mean?
I had a different user earlier today complain of being locked out, and I had to 'unlock' his account (before I had the tools) at least 15 times before it would stay unlocked.
If it's a virus, McAfee is not showing it to me. Any advice?