Solved

AD Account is locked out

Posted on 2012-04-10
12
513 Views
Last Modified: 2012-05-09
Hello,

I have a user who intermittently gets a message saying his domain account has been locked out.  He is not putting the wrong password in a certain number of times.   Yesterday it happened yesterday when he tried to log in, then after a few minutes it allowed him to log in.  

After he logs in he connects to resources on the network using his AD credentials.  He will later get a login box for these resources asking him to log in again.  When he tries to it tells him invalid userid or password.  It is as if his account loses its credentials intermittently.

He uses remote desktop alot and I wonder if this is somehow causing the issue.  His password has been reset several times already.  Any thoughts on this?

All help greatly appreciated.

thanks,

Maureen
0
Comment
Question by:maureen99
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +4
12 Comments
 
LVL 7

Accepted Solution

by:
Kurt4949 earned 500 total points
ID: 37827544
He might have a mapped network drive or something cached with the wrong passed.  Windows automatically tries to reconnect that drive locking out the account.

I've also seen this happen where someone connects to the network with a vpn and the user name on their remote PC is the same as their AD username with a different password.

If not the above, there's probably some piece of software that he's installed or set up using an old password.
0
 
LVL 1

Expert Comment

by:Digital12
ID: 37827561
He may have recently changed his password and not closed out of RDP properly.  Check for any open but inactive remote sessions with his username and close them out.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37827600
It's possible someone outside the network is trying to access a resouce by guessing this user's password.

It's also possible this user changed his password, but didn't update his phone or some such and it's trying to pull e-mail using the wrong password.
0
Save the day with this special offer from ATEN!

Save 30% on the CV211 using promo code EXPERTS30 now through April 30th. The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 
LVL 1

Expert Comment

by:BrewersFanRick
ID: 37827698
All the things above are certainly possible.  You can check the logs on the domain controller for failed login attempts and track it down that way too.
0
 
LVL 12
ID: 37828059
Use Microsoft's AccountLockout Tool to pinpoint which DC he is being locked out of on first. You can then check the security log of that DC to see where the failed audit logons are coming from.
0
 

Author Comment

by:maureen99
ID: 37839841
we have used the lockout tool and can see where several bad password attempts are being made on a domain controller and then after 5 he gets locked out.  Our server team tells us they cannont pinpoint the application that is making the logon attempts.

I have checked his services and found one SQL service that used a domain account and we updated that password, still the same thing happens.   He has not been using remote desktop lately and I had him log back into the machines he was using it on and logoff properly.

We believe there is a process running on the machine that is trying to log into a network resource and causing the lockout but we are at a loss as to what it could be.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37840103
This should be a lesson: Don't use user accounts for services.  I hope that once you get this sorted out you'll go through your network and address that.

Do the logon attempts happen at predictable times?  Do they happen when the user is at work?  Do they come from within the work network?  Could they be coming from a smart phone, pad or laptop device?
0
 
LVL 1

Expert Comment

by:BrewersFanRick
ID: 37844104
Did you just recreate the profile to see if it goes away or have him log in to another machine to see if it continues?   That at least will narrow it down for you.
0
 

Author Comment

by:maureen99
ID: 37844816
The logon attempts seem to happen every hour or so.    They happen even when the user  is not at work.  I have asked him if he uses an external device of any kind to access his pc or his work email and he said no.
0
 
LVL 34

Expert Comment

by:Paul MacDonald
ID: 37844914
I all but guarantee he does.  

There's no workstation or client IP address information in the Security log?
0
 

Author Comment

by:maureen99
ID: 37938439
This turned out to be a password in a peice of software he was using.  Thanks everyone for all the good suggestions it was very helpful.
0
 

Expert Comment

by:spritchey
ID: 37947559
Can you please specify which piece of software?
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Issue: One Windows 2008 R2 64bit server on the network unable to connect to a buffalo Device (Linkstation) with firmware version 1.56. There are a total of four servers on the network this being one of them. Troubleshooting Steps: Connect via h…
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

738 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question