Link to home
Create AccountLog in
Avatar of LogicalSolutionsNZ
LogicalSolutionsNZ

asked on

Account lockout

An Active Directory user has been having their account locked out at random intervals. They do not have a roaming profile. We have given them an entirely new computer, moving them from xp to windows 7. This in effect has given them a new profile, new programs installed, wiped out saved passwords etc. yet they still get the same error.

We have found event id 40960 and 40961 from source LSASRV in the local computer logs. There are no events to be found on the DC.

Another issue is that Outlook 2007 prompts for credentials from server1, a seperate server to the mail server which is server2. Server1 is the PDC.

These issues only affect 1 user on the domain
Avatar of strivoli
strivoli
Flag of Italy image

Does the affected User Account change the password regularly or is it unchanged since a long time?
Might there be any Scheduled Job or Service using User Account credentials running on any client/server in the Domain?
Avatar of shefam
shefam

If you unlock the users account, are they able to login at that point?

If so, have the logout and back in again to see if the issue is still resolved?

If it is, reboot the pc and then have them login again.  If they get locked out again, check the following:
 - make sure the numbers lock doesn't auto turn on after reboot or boot
 - make sure FN key etc is not auto turned on

If not certain, have the user type the pw in the UID field just to ensure what they are typing is what they are meaning to type.

Panasonic TB (i.e., CF19 & CF52 have this issue).

Hope this helps.
Also to add to what I just said, if they are changing the pw - make sure they reboot the pc and login again to ensure the new creds propagate to the exchange server
Avatar of LogicalSolutionsNZ

ASKER

The user is setup to change their password every 60-90 days

We've recently taken over this domain in the last 6 months so don't have an in depth knowledge of all services/scheduled jobs that are setup. Is there an easy way to check these?

I've just setup auditing on the PDC to monitor all login/access/password failures. Hoping to cross-check these with the LSASRV errors that occur on the user's machine.
Hey Shefam - Yes i have gone past this point of troubleshooting. This issue has been ongoing for 2-3 weeks now and the user gets locked out at least once or twice a day but it has no regular frequency.  
As mentioned above - i setup auditing on login attempts. I have multiple audit failures now referencing the user at hand.

The below images show that the user account was being referenced. The two 673 id errors were both referencing server2 (mail server) but running different service names after error 680 occurred.
id673.png
id680.png
id6732.png
To add more info, we've recently had to update the root certificate for the exchange mail server. This hasn't been an issue for any other user however.
in id6732 why did you block out the service name?

id 680 : is the workstation the users workstation? it does look like a dictionary attack is in progress.. take the machine off the network and scan for malware

are they all the same workstation? and is it the users workstation?
Hey ve3ofa - the id6732 service is HTTP/mailserver.domain. Just blocked out specific name. This is the same as id673 (service name: exchangeMDB/mailserver.domain)

Yes the id 680 workstation is the one that the user is having problems with. The user only uses the one workstation and no one else uses it.

I'll run a malware scan on the machine asap
Ran Malware scans and found nothing on the computer
ASKER CERTIFIED SOLUTION
Avatar of RMOMCSE
RMOMCSE
Flag of Canada image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Ooooo they do have a smart phone with out of date password I think!!  I'm going to check right now.

And it's driving me and the customer absolutely mental!

I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).

We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.

Fun!