Account is keep locking out for a user

Mcgrathnicol used Ask the Experts™
I have done the following without success

- Deleted all the cache credentials from the laptop.
- provided different laptop
- use EventCombMT from microsoft to trace the locked out account.
- found event ID 644 (unable to find any solution for that)
- confirmed user is not using exchange account to sync email in mobile phone

We have four domain R/W DC and we use exchange 2010 for email.
FYI - One perticular account keep locking out at least 5-6 times a day.

Is there anything I can do without changing user's login name?

Any advise???
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
You can review the event logs on your DC and try to find out where the bad authentication attempts are coming from. It's typically a network drive mapped with old invalid credentials.


Only thing I can get in DC is event ID 644 for account locked out in Win 2003 server. I have checked her drives as well and I am sure there isn't any network drive mapped to it.
On your DCs, do you have auditing enabled for Audit account logon events.

gpedit.msc -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Audit Policy
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!


Yes we have.
Look for event ID 529 for that particular user. You should also see the coinciding computer name where the attempt was made from.
User has same issue at post:

See comment by AlanK: (Please note this is taken from a website and has therefore not been tsted. Although seems to make sense):

"If this is on the domain, then there should be a lot of entries in the domain controller's Security event log. After resetting the user's lockout, go to the DC, save the Security log as a comma-delimited file, and use Excel or another tool to start finding failed logins for that User ID. Some of the event descriptions might have a clue. Use to assist you in interpreting the entries. In particular, look at the client computer that the failure is coming from.

To my experience, the most likely culprit is one of two things. It's probably either a scheduled task running under that user's login or a service running under the user's login. It could also be something like a proxy server setting, but that's not as likely.

As a test, turn off the computer and ask the user to log into another computer and see if he gets the same result. That may indicate a problem that is specific to the particular machine.

Remember to check other computers. Maybe that user's old computer was assigned to another user and has a service or scheduled task with his login.

Finally, try removing the computer from the domain, rebooting, then adding it back to the domain. I've seen problems when a Computer Account is corrupted. This will reset the computer account."


Hi jerseysam

- I am using account lock out tool but not much help from this.
- Even I gave user new laptop and problem still happening
Looking like creating new profile for him then?
Also have you checked that you have configured correct Account Lockout Policies?


I guess providing new laptop create new profile itsself locally.

Onlything I hate to do is changing user login name.
Yes sorry, i mean new profile on server.

Its a pain but if you tried new computer then it must be his profile is corrupt.
Renaming the login name is not really a good fix. If there are cached credentials set somewhere you will still be bombarded on your event logs.

I already asked about the policies above jerseysam.


Hi motnahp00

I didn't find any event id 529.
Get ALTools, use LockoutStatus to identify which DC is being authenticated against and causing the lockout. This will also give you a timestamp.

Take that timestamp and investigate the Security log of the DC in question. Should be simple to find the events around the authentication failure for this user.

Those events should tell you the name or IP of the machine from which authentication was attempted and failed. Now you have a lead on where the authentication failure is coming from.

If it's a workstation, maybe the user has some other application on it that's configured with an incorrect password. If it's a server, perhaps the user has left an RDP session idle and disconnected for weeks, and has since changed their password. Or it's a web server - then you'll need to examine the web server logs for the bad authentication attempt(s) to see what machine was presenting there.

Checking things at random is just guessing. There are logs, and those logs will tell you where the auth attempts are coming from, you just have to read them. If your logging level isn't high enough to give you the information you want, increase the logging levels and wait until it happens again.
I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).

We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.


Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial