Solved

Active Directory Account Locked Out

Posted on 2012-03-21
10
360 Views
Last Modified: 2012-06-21
A particular users account has begun to continually lock out (past month) no new software has been installed. The lockout can occur while user working on the PC/or while PC stationary .ie during lunch or up to 45 minutes after login out? Any ideas as to what could be causing this to occur?
0
Comment
Question by:Barnardos_2LS
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 37746920
First thing first download lockout tools. This will let you see what time and on what DC the account is locking out from. Once you find that event post it here and we can tell you more of whats going on.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
0
 
LVL 8

Accepted Solution

by:
PenguinN earned 500 total points
ID: 37746929
Is RDP open to the outside world? This can be an issue.
Also chck any remote devices connecting as the user.
0
 
LVL 2

Expert Comment

by:postechgeek
ID: 37746990
More specifically, in the lockout tools download that was mentioned earlier there is a tool called - LockoutStatus. This tool, will allow you to see what domain controller locked the user account. From there, you should log on to the domain controller and look at the security event logs. That should narrow down the issue.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 78

Expert Comment

by:arnold
ID: 37747005
The Lockout tool referenced by xxdcmast will help you determine which dc locked the account based on failed login attempts. It includes an event data gatherer which you would need to use to collect failed login security event id 528, 530
This will help you locate the system from which the requests are being generated.

Along the path of PenguinN, if you have terminal servers, the user might have an active session that was established prior to the user's recent password change outside that terminal session.
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 37747418
We have already installed the lockoutstatus upon users PC.... please  find attached  the HODC1 lockout details...
0
 
LVL 78

Expert Comment

by:arnold
ID: 37747841
Did you mean to attach, embed hofdc1 report of events?
0
 
LVL 1

Author Comment

by:Barnardos_2LS
ID: 37748023
Yes as per the request from xxdcmast - ID37746920. Not sure if the events log is of any help though?
0
 
LVL 78

Expert Comment

by:arnold
ID: 37748132
I do not see anything attached perhaps because of what I amusing, the event log should tell you the some of the request which you should thn heck for virus,etc.
Note a session established prior to a user changing their password in a different session or another computer would explain this issue because the original question has a token for their credential with the now incorrect password.
If the user must maintain that session, they must change/update their password within that session which will update the cached credentials.
0
 
LVL 1

Author Closing Comment

by:Barnardos_2LS
ID: 37854836
An open RDP session was discovered. Once this was closed the issue no longer occurred.
0

Featured Post

Raise the IQ of Your IT Alerts

From IT major incidents to manufacturing line slowdowns, every business process generates insights that need to reach the people required to take action. You need a platform that integrates with your business tools to create fully enabled DevOps toolchains.

You need xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
When you upgrade from Windows 8 to 8.1 or to Windows 10 or if you are like me you are on the Insider Program you may find yourself with many 450MB recovery partitions.  With a traditional disk that may not be a problem but with relatively smaller SS…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question