[Webinar] Streamline your web hosting managementRegister Today

x
?
Solved

Account locking out every couple min after changing password

Posted on 2011-09-09
16
Medium Priority
?
828 Views
Last Modified: 2012-08-13
We have gone and changed the password back which seems to slow down how quick it locks the account by a min or two but its happening constantly and cant seem to figure it out. Under security under event view i keep getting this


Logon Failure:
       Reason:            Account locked out
       User Name:      USERNAME
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 2404
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

i figured once i changed her password back that it would quit locking her account but that doesnt seem to be the case. I have checked all the services on  the server and on her computer , checked scheduled tasks, all the programs when she starts up her machine yet cant seem to find the cause. all the network drives get created from a logon script and she has no persistent drives. please help... thank you!
0
Comment
Question by:coeurdcom
  • 5
  • 5
  • 3
  • +2
15 Comments
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36512283
Any service that was using that account will have to be updated with the new password. Probably best to run Process Monitor and dig through the output to see what service and device is constantly reconnecting using that password.
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512315
the user account might still be logged in somewhere else (other computer or perhaps a terminal session with programms still running)
0
 

Author Comment

by:coeurdcom
ID: 36512326
They are not logged in via any terminal sessions. they are only trying to log into one computer. no other computer is logged in with their credentials
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512373
what happens if you shut down her pc  and have her log onto another pc? if that has the same lockout effect you might want to check the security log (eventvwr) of you active directory server, you should be able to find where the lockout originates from by IP or computername on which likely a service or application is still running with her old credentials.
0
 

Author Comment

by:coeurdcom
ID: 36512386
ok so i downloaded the process monitor and found a process that had the exact same ID during the exact same time. its running inetinfo.exe.. could this be the cause?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512406
yes, check the IIS settings
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36512438
The inetinfo/IIS service on the server should be using a system account not a user account. You can verify by looking at the properties of the service in the services management console on the server.
0
 

Author Comment

by:coeurdcom
ID: 36512454
the IIS Service is using a system account. just checked. i went in to IIS disabled all the sites and the problem still continues...
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36512562
By "exact same ID " did you mean user account or process ID? There Will be several services using the same process ID.

In process monitor you want to look at failed connections when the password is changed.
0
 

Author Comment

by:coeurdcom
ID: 36512585
I meant process ID, i went ahead and looked in event viewer and fount out one of the exact times that there was a failure audit and then went and looked it up in process monitor. During that time the only service i saw using that process id was Inetinfo.exe
0
 
LVL 78

Expert Comment

by:Rob Williams
ID: 36512605
Sorry  thought you had meant user account. Matching process ID's is often of no help especially with services using system accounts as they often have the same ID#
0
 

Author Comment

by:coeurdcom
ID: 36512648
oh.. that stinks... well where to do i look to find failed connections in the process monitor?
0
 
LVL 78

Accepted Solution

by:
Rob Williams earned 1000 total points
ID: 36512973
I haven't used it in a long time. It is a pain in the neck with 500K events recorded every minute or so, but it is an amazing tool.
I would clear the capture, start a new capture, change the password to a new password so you get the error, wait about 2 minutes then stop the capture. Then filter by result and you should see any failures grouped together. From there it is a case of digging line by line a see if you can see any relationship to the user account and then try to figure out what service was using the account, or what it was trying to access.
0
 
LVL 10

Assisted Solution

by:abbright
abbright earned 1000 total points
ID: 36514545
Whether the account is being locked can be seen in the user account in AD. Does it still get locked out when you disconnect the mentioned machine from the network?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37163631
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are literally thousands of Exchange recovery applications out there. So how do you end up picking one that’s ideal for your business & purpose? By carefully scouting the product’s features, the benefits it offers you, & reading ample reviews f…
Feeling responsible for an unfortunate ransomware infection on my parent's network, persistence paid off as I was able to decrypt a strain of ransomware that was not previously (or at least publicly) cracked. I hope this helps others out there affec…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
In a question here at Experts Exchange (https://www.experts-exchange.com/questions/29062564/Adobe-acrobat-reader-DC.html), a member asked how to create a signature in Adobe Acrobat Reader DC (the free Reader product, not the paid, full Acrobat produ…

612 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question