Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

My AD account locks every 15 seconds.

Posted on 2013-06-20
7
Medium Priority
?
2,728 Views
Last Modified: 2013-10-03
A couple of months ago I had an issue where my AD  account was locking up every few minutes.  

Now I am getting the same thing where my account is locking literally every 15 seconds. I have checked the event logs, account lock out tools.

What can I use to find out which service is locking my account?
0
Comment
Question by:tips54
7 Comments
 
LVL 15

Expert Comment

by:Rob Stone
ID: 39264357
It's been a while since I looked at this, but the process I used was:

Downloaded the tools (you've done this by the looks of things)
http://www.microsoft.com/en-us/download/details.aspx?id=18465

One of the tools would show what DC the request is going to first and you can then filter the security event viewer for your account lockout and see what IP address it's generating from.

From that host check any old remote settings, scheduled jobs, anything that may have your credentials cached and out of date.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39264483
Hi ,

Please follow below steps to resolve account lockout issues.

Perform these steps on client side where you used to login.

1.      Check If a Local User Account is present with the same Name as AD account

Click on Start menu à run button type lusrmgr.msc
•      If Present Change/ Rename the local User account.

2.      Clearing Temporary Files

•      Take a fresh browser and select Internet Options from Tools Menu
•      Click on Delete Cookies
•      Click on Delete Files
•      Click on Clear History Button
•      This will clear all your temporary files and History.
•      Delete files in the Temp / Prefetch folder.

3.      Clearing Saved Passwords and Forms

•      Take a fresh browser and select Internet Options from Tools Menu
•      Select the content and click on ‘AutoComplete’
•      Click on clear forms and clear passwords
•      This will clear all the stored passwords


4.      Removing Mapped Drives
•      Go to My Computer
•      Right click on the shared drive (if any)
•      Click disconnect in the menu.
•      This will remove the Shared Drive
 
5.      If user is using Adobe Reader  
•      Delete the Updater5 folder located at C:\Program Files\Common Files\Adobe as shown below
•      Delete the AdobeUpdater.dll file in the folder C:\Program Files\Adobe\Reader 8.0\Reader

6.      Remove the Stored passwords

•      Start->Run
•      Type Control UserPasswords2 in Run Menu
•      Go to AdvancedàManage Passwords
•      Remove all stored passwords

7.      Remove Unnecessary applications from  startup

•      Got o Start > Run
•      type MSCONFIG
•      Click on Startup Tab
•      Uncheck which is not required from startup

8.      Check Antivirus Client for Defn Update / Virus infections.

9.      Check for Third Party Softwares
•      Check for the Existence of Third Party Softwares and Remove

10.      Check for tasks like ( Apple task ), Disable all tasks
11.      
12.      Uninstall auto update software’s ( You can update these software’s manually)


Regards,
Manjunath S
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39265371
Check the account policy in  your AD management console; may there is something that is why its occurring again and again

if you are using windows 2008 then just go to your AD and check the properties of this user

or in 2003 you can go with mste.msc -> group policy management-> policies->windows setting-> security setting-> account locked out policy
0
Configuration Guide and Best Practices

Read the guide to learn how to orchestrate Data ONTAP, create application-consistent backups and enable fast recovery from NetApp storage snapshots. Version 9.5 also contains performance and scalability enhancements to meet the needs of the largest enterprise environments.

 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 1290 total points
ID: 39265411
If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.

Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Hope this helps
0
 
LVL 2

Expert Comment

by:titan123
ID: 39265743
What are you running, how many users, what is your current config?

It could be many reasons from licensing to user settings. What is the time frame from once you stup the account and when it stops working?

It can be due to the virus trying to use the users credentials. My anti Virus was also not detecting it. A quick way to check, would be to change the password account lockout policy, so that it doesnt lock out after entering the wrong password.

If that stops the problem you know that youve got something nasty on your network.
0
 

Author Comment

by:tips54
ID: 39308569
I got this issue resolved.  I had one of the ISO shares setup using my account.
0
 

Author Closing Comment

by:tips54
ID: 39544372
LockoutStatus helped me identify the issue
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question