Solved

Account locking out every couple min after changing password

Posted on 2011-09-09
16
808 Views
Last Modified: 2012-08-13
We have gone and changed the password back which seems to slow down how quick it locks the account by a min or two but its happening constantly and cant seem to figure it out. Under security under event view i keep getting this


Logon Failure:
       Reason:            Account locked out
       User Name:      USERNAME
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 2404
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

i figured once i changed her password back that it would quit locking her account but that doesnt seem to be the case. I have checked all the services on  the server and on her computer , checked scheduled tasks, all the programs when she starts up her machine yet cant seem to find the cause. all the network drives get created from a logon script and she has no persistent drives. please help... thank you!
0
Comment
Question by:coeurdcom
  • 5
  • 5
  • 3
  • +2
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512283
Any service that was using that account will have to be updated with the new password. Probably best to run Process Monitor and dig through the output to see what service and device is constantly reconnecting using that password.
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512315
the user account might still be logged in somewhere else (other computer or perhaps a terminal session with programms still running)
0
 

Author Comment

by:coeurdcom
ID: 36512326
They are not logged in via any terminal sessions. they are only trying to log into one computer. no other computer is logged in with their credentials
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512373
what happens if you shut down her pc  and have her log onto another pc? if that has the same lockout effect you might want to check the security log (eventvwr) of you active directory server, you should be able to find where the lockout originates from by IP or computername on which likely a service or application is still running with her old credentials.
0
 

Author Comment

by:coeurdcom
ID: 36512386
ok so i downloaded the process monitor and found a process that had the exact same ID during the exact same time. its running inetinfo.exe.. could this be the cause?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512406
yes, check the IIS settings
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512438
The inetinfo/IIS service on the server should be using a system account not a user account. You can verify by looking at the properties of the service in the services management console on the server.
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:coeurdcom
ID: 36512454
the IIS Service is using a system account. just checked. i went in to IIS disabled all the sites and the problem still continues...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512562
By "exact same ID " did you mean user account or process ID? There Will be several services using the same process ID.

In process monitor you want to look at failed connections when the password is changed.
0
 

Author Comment

by:coeurdcom
ID: 36512585
I meant process ID, i went ahead and looked in event viewer and fount out one of the exact times that there was a failure audit and then went and looked it up in process monitor. During that time the only service i saw using that process id was Inetinfo.exe
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512605
Sorry  thought you had meant user account. Matching process ID's is often of no help especially with services using system accounts as they often have the same ID#
0
 

Author Comment

by:coeurdcom
ID: 36512648
oh.. that stinks... well where to do i look to find failed connections in the process monitor?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 36512973
I haven't used it in a long time. It is a pain in the neck with 500K events recorded every minute or so, but it is an amazing tool.
I would clear the capture, start a new capture, change the password to a new password so you get the error, wait about 2 minutes then stop the capture. Then filter by result and you should see any failures grouped together. From there it is a case of digging line by line a see if you can see any relationship to the user account and then try to figure out what service was using the account, or what it was trying to access.
0
 
LVL 10

Assisted Solution

by:abbright
abbright earned 250 total points
ID: 36514545
Whether the account is being locked can be seen in the user account in AD. Does it still get locked out when you disconnect the mentioned machine from the network?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37163631
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
It’s a strangely common occurrence that when you send someone their login details for a system, they can’t get in. This article will help you understand why it happens, and what you can do about it.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now