Solved

Account locking out every couple min after changing password

Posted on 2011-09-09
16
811 Views
Last Modified: 2012-08-13
We have gone and changed the password back which seems to slow down how quick it locks the account by a min or two but its happening constantly and cant seem to figure it out. Under security under event view i keep getting this


Logon Failure:
       Reason:            Account locked out
       User Name:      USERNAME
       Domain:      
       Logon Type:      3
       Logon Process:      Advapi  
       Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
       Workstation Name:      SERVER
       Caller User Name:      SERVER$
       Caller Domain:      DOMAIN
       Caller Logon ID:      (0x0,0x3E7)
       Caller Process ID: 2404
       Transited Services: -
       Source Network Address:      -
       Source Port:      -

i figured once i changed her password back that it would quit locking her account but that doesnt seem to be the case. I have checked all the services on  the server and on her computer , checked scheduled tasks, all the programs when she starts up her machine yet cant seem to find the cause. all the network drives get created from a logon script and she has no persistent drives. please help... thank you!
0
Comment
Question by:coeurdcom
  • 5
  • 5
  • 3
  • +2
16 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512283
Any service that was using that account will have to be updated with the new password. Probably best to run Process Monitor and dig through the output to see what service and device is constantly reconnecting using that password.
http://technet.microsoft.com/en-us/sysinternals/bb896645
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512315
the user account might still be logged in somewhere else (other computer or perhaps a terminal session with programms still running)
0
 

Author Comment

by:coeurdcom
ID: 36512326
They are not logged in via any terminal sessions. they are only trying to log into one computer. no other computer is logged in with their credentials
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512373
what happens if you shut down her pc  and have her log onto another pc? if that has the same lockout effect you might want to check the security log (eventvwr) of you active directory server, you should be able to find where the lockout originates from by IP or computername on which likely a service or application is still running with her old credentials.
0
 

Author Comment

by:coeurdcom
ID: 36512386
ok so i downloaded the process monitor and found a process that had the exact same ID during the exact same time. its running inetinfo.exe.. could this be the cause?
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 36512406
yes, check the IIS settings
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512438
The inetinfo/IIS service on the server should be using a system account not a user account. You can verify by looking at the properties of the service in the services management console on the server.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:coeurdcom
ID: 36512454
the IIS Service is using a system account. just checked. i went in to IIS disabled all the sites and the problem still continues...
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512562
By "exact same ID " did you mean user account or process ID? There Will be several services using the same process ID.

In process monitor you want to look at failed connections when the password is changed.
0
 

Author Comment

by:coeurdcom
ID: 36512585
I meant process ID, i went ahead and looked in event viewer and fount out one of the exact times that there was a failure audit and then went and looked it up in process monitor. During that time the only service i saw using that process id was Inetinfo.exe
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 36512605
Sorry  thought you had meant user account. Matching process ID's is often of no help especially with services using system accounts as they often have the same ID#
0
 

Author Comment

by:coeurdcom
ID: 36512648
oh.. that stinks... well where to do i look to find failed connections in the process monitor?
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 250 total points
ID: 36512973
I haven't used it in a long time. It is a pain in the neck with 500K events recorded every minute or so, but it is an amazing tool.
I would clear the capture, start a new capture, change the password to a new password so you get the error, wait about 2 minutes then stop the capture. Then filter by result and you should see any failures grouped together. From there it is a case of digging line by line a see if you can see any relationship to the user account and then try to figure out what service was using the account, or what it was trying to access.
0
 
LVL 10

Assisted Solution

by:abbright
abbright earned 250 total points
ID: 36514545
Whether the account is being locked can be seen in the user account in AD. Does it still get locked out when you disconnect the mentioned machine from the network?
0
 
LVL 27

Expert Comment

by:Tolomir
ID: 37163631
This question has been classified as abandoned and is closed as part of the Cleanup Program. See the recommendation for more details.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Most of the applications these days are on Cloud. Cloud is ubiquitous with many service providers in the market. Since it has many benefits such as cost reduction, software updates, remote access, disaster recovery and much more.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
A simple description of email encryption using a secure portal service. This is one of the choices offered by The Email Laundry for email encryption. The other choices are pdf encryption which creates an encrypted pdf of your email and any attachmen…

867 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now