Avatar of Mcgrathnicol
Mcgrathnicol
 asked on

Account is keep locking out for a user

I have done the following without success

- Deleted all the cache credentials from the laptop.
- provided different laptop
- use EventCombMT from microsoft to trace the locked out account.
- found event ID 644 (unable to find any solution for that)
- confirmed user is not using exchange account to sync email in mobile phone

We have four domain R/W DC and we use exchange 2010 for email.
FYI - One perticular account keep locking out at least 5-6 times a day.

Is there anything I can do without changing user's login name?

Any advise???
ExchangeMicrosoft Legacy OS

Avatar of undefined
Last Comment
MarkMelanson

8/22/2022 - Mon
motnahp00

You can review the event logs on your DC and try to find out where the bad authentication attempts are coming from. It's typically a network drive mapped with old invalid credentials.
Mcgrathnicol

ASKER
Only thing I can get in DC is event ID 644 for account locked out in Win 2003 server. I have checked her drives as well and I am sure there isn't any network drive mapped to it.
motnahp00

On your DCs, do you have auditing enabled for Audit account logon events.

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Mcgrathnicol

ASKER
Yes we have.
jerseysam

jerseysam

Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
motnahp00

Look for event ID 529 for that particular user. You should also see the coinciding computer name where the attempt was made from.
SOLUTION
jerseysam

Log in or sign up to see answer
Become an EE member today7-DAY FREE TRIAL
Members can start a 7-Day Free trial then enjoy unlimited access to the platform
Sign up - Free for 7 days
or
Learn why we charge membership fees
We get it - no one likes a content blocker. Take one extra minute and find out why we block content.
Not exactly the question you had in mind?
Sign up for an EE membership and get your own personalized solution. With an EE membership, you can ask unlimited troubleshooting, research, or opinion questions.
ask a question
Mcgrathnicol

ASKER
Hi jerseysam

- I am using account lock out tool but not much help from this.
- Even I gave user new laptop and problem still happening
jerseysam

Looking like creating new profile for him then?
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Mcgrathnicol

ASKER
I guess providing new laptop create new profile itsself locally.

Onlything I hate to do is changing user login name.
jerseysam

Yes sorry, i mean new profile on server.

Its a pain but if you tried new computer then it must be his profile is corrupt.
motnahp00

Renaming the login name is not really a good fix. If there are cached credentials set somewhere you will still be bombarded on your event logs.

I already asked about the policies above jerseysam.
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
Mcgrathnicol

ASKER
Hi motnahp00

I didn't find any event id 529.
ASKER CERTIFIED SOLUTION
Log in to continue reading
Log In
Sign up - Free for 7 days
Get an unlimited membership to EE for less than $4 a week.
Unlimited question asking, solutions, articles and more.
MarkMelanson

I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).

We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.

Fun!