Account locking out every couple min after changing password

We have gone and changed the password back which seems to slow down how quick it locks the account by a min or two but its happening constantly and cant seem to figure it out. Under security under event view i keep getting this


Logon Failure:
       Reason:            Account locked out
       User Name:      USERNAME
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 2404
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

i figured once i changed her password back that it would quit locking her account but that doesnt seem to be the case. I have checked all the services on  the server and on her computer , checked scheduled tasks, all the programs when she starts up her machine yet cant seem to find the cause. all the network drives get created from a logon script and she has no persistent drives. please help... thank you!
coeurdcomAsked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
Rob WilliamsConnect With a Mentor Commented:
I haven't used it in a long time. It is a pain in the neck with 500K events recorded every minute or so, but it is an amazing tool.
I would clear the capture, start a new capture, change the password to a new password so you get the error, wait about 2 minutes then stop the capture. Then filter by result and you should see any failures grouped together. From there it is a case of digging line by line a see if you can see any relationship to the user account and then try to figure out what service was using the account, or what it was trying to access.
0
 
Rob WilliamsCommented:
Any service that was using that account will have to be updated with the new password. Probably best to run Process Monitor and dig through the output to see what service and device is constantly reconnecting using that password.
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 
warddhoogheCommented:
the user account might still be logged in somewhere else (other computer or perhaps a terminal session with programms still running)
0
Get 10% Off Your First Squarespace Website

Ready to showcase your work, publish content or promote your business online? With Squarespace’s award-winning templates and 24/7 customer service, getting started is simple. Head to Squarespace.com and use offer code ‘EXPERTS’ to get 10% off your first purchase.

 
coeurdcomAuthor Commented:
They are not logged in via any terminal sessions. they are only trying to log into one computer. no other computer is logged in with their credentials
0
 
warddhoogheCommented:
what happens if you shut down her pc  and have her log onto another pc? if that has the same lockout effect you might want to check the security log (eventvwr) of you active directory server, you should be able to find where the lockout originates from by IP or computername on which likely a service or application is still running with her old credentials.
0
 
coeurdcomAuthor Commented:
ok so i downloaded the process monitor and found a process that had the exact same ID during the exact same time. its running inetinfo.exe.. could this be the cause?
0
 
warddhoogheCommented:
yes, check the IIS settings
0
 
Rob WilliamsCommented:
The inetinfo/IIS service on the server should be using a system account not a user account. You can verify by looking at the properties of the service in the services management console on the server.
0
 
coeurdcomAuthor Commented:
the IIS Service is using a system account. just checked. i went in to IIS disabled all the sites and the problem still continues...
0
 
Rob WilliamsCommented:
By "exact same ID " did you mean user account or process ID? There Will be several services using the same process ID.

In process monitor you want to look at failed connections when the password is changed.
0
 
coeurdcomAuthor Commented:
I meant process ID, i went ahead and looked in event viewer and fount out one of the exact times that there was a failure audit and then went and looked it up in process monitor. During that time the only service i saw using that process id was Inetinfo.exe
0
 
Rob WilliamsCommented:
Sorry  thought you had meant user account. Matching process ID's is often of no help especially with services using system accounts as they often have the same ID#
0
 
coeurdcomAuthor Commented:
oh.. that stinks... well where to do i look to find failed connections in the process monitor?
0
 
abbrightConnect With a Mentor Commented:
Whether the account is being locked can be seen in the user account in AD. Does it still get locked out when you disconnect the mentioned machine from the network?
0
 
TolomirAdministratorCommented:
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.