Solved

Account locking out every couple min after changing password

Posted on 2011-09-09
16
821 Views
Last Modified: 2012-08-13
We have gone and changed the password back which seems to slow down how quick it locks the account by a min or two but its happening constantly and cant seem to figure it out. Under security under event view i keep getting this


Logon Failure:
       Reason:            Account locked out
       User Name:      USERNAME
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 2404
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

i figured once i changed her password back that it would quit locking her account but that doesnt seem to be the case. I have checked all the services on  the server and on her computer , checked scheduled tasks, all the programs when she starts up her machine yet cant seem to find the cause. all the network drives get created from a logon script and she has no persistent drives. please help... thank you!
0
Comment
Question by:coeurdcom
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
  • 3
  • +2
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512283
Any service that was using that account will have to be updated with the new password. Probably best to run Process Monitor and dig through the output to see what service and device is constantly reconnecting using that password.
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512315
the user account might still be logged in somewhere else (other computer or perhaps a terminal session with programms still running)
0
 

Author Comment

by:coeurdcom
ID: 36512326
They are not logged in via any terminal sessions. they are only trying to log into one computer. no other computer is logged in with their credentials
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512373
what happens if you shut down her pc  and have her log onto another pc? if that has the same lockout effect you might want to check the security log (eventvwr) of you active directory server, you should be able to find where the lockout originates from by IP or computername on which likely a service or application is still running with her old credentials.
0
 

Author Comment

by:coeurdcom
ID: 36512386
ok so i downloaded the process monitor and found a process that had the exact same ID during the exact same time. its running inetinfo.exe.. could this be the cause?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512406
yes, check the IIS settings
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512438
The inetinfo/IIS service on the server should be using a system account not a user account. You can verify by looking at the properties of the service in the services management console on the server.
0
 

Author Comment

by:coeurdcom
ID: 36512454
the IIS Service is using a system account. just checked. i went in to IIS disabled all the sites and the problem still continues...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512562
By "exact same ID " did you mean user account or process ID? There Will be several services using the same process ID.

In process monitor you want to look at failed connections when the password is changed.
0
 

Author Comment

by:coeurdcom
ID: 36512585
I meant process ID, i went ahead and looked in event viewer and fount out one of the exact times that there was a failure audit and then went and looked it up in process monitor. During that time the only service i saw using that process id was Inetinfo.exe
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512605
Sorry  thought you had meant user account. Matching process ID's is often of no help especially with services using system accounts as they often have the same ID#
0
 

Author Comment

by:coeurdcom
ID: 36512648
oh.. that stinks... well where to do i look to find failed connections in the process monitor?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 36512973
I haven't used it in a long time. It is a pain in the neck with 500K events recorded every minute or so, but it is an amazing tool.
I would clear the capture, start a new capture, change the password to a new password so you get the error, wait about 2 minutes then stop the capture. Then filter by result and you should see any failures grouped together. From there it is a case of digging line by line a see if you can see any relationship to the user account and then try to figure out what service was using the account, or what it was trying to access.
0
 
LVL 10

Assisted Solution

by:abbright
abbright earned 250 total points
ID: 36514545
Whether the account is being locked can be seen in the user account in AD. Does it still get locked out when you disconnect the mentioned machine from the network?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37163631
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Getting to know the threat landscape in which DDoS has evolved, and making the right choice to get ourselves geared up to defend against  DDoS attacks effectively. Get the necessary preparation works done and focus on Doing the First Things Right.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

617 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question