Solved

My AD account locks every 15 seconds.

Posted on 2013-06-20
7
2,082 Views
Last Modified: 2013-10-03
A couple of months ago I had an issue where my AD  account was locking up every few minutes.  

Now I am getting the same thing where my account is locking literally every 15 seconds. I have checked the event logs, account lock out tools.

What can I use to find out which service is locking my account?
0
Comment
Question by:tips54
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 15

Expert Comment

by:Rob Stone
ID: 39264357
It's been a while since I looked at this, but the process I used was:

Downloaded the tools (you've done this by the looks of things)
http://www.microsoft.com/en-us/download/details.aspx?id=18465

One of the tools would show what DC the request is going to first and you can then filter the security event viewer for your account lockout and see what IP address it's generating from.

From that host check any old remote settings, scheduled jobs, anything that may have your credentials cached and out of date.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39264483
Hi ,

Please follow below steps to resolve account lockout issues.

Perform these steps on client side where you used to login.

1.      Check If a Local User Account is present with the same Name as AD account

Click on Start menu à run button type lusrmgr.msc
•      If Present Change/ Rename the local User account.

2.      Clearing Temporary Files

•      Take a fresh browser and select Internet Options from Tools Menu
•      Click on Delete Cookies
•      Click on Delete Files
•      Click on Clear History Button
•      This will clear all your temporary files and History.
•      Delete files in the Temp / Prefetch folder.

3.      Clearing Saved Passwords and Forms

•      Take a fresh browser and select Internet Options from Tools Menu
•      Select the content and click on ‘AutoComplete’
•      Click on clear forms and clear passwords
•      This will clear all the stored passwords


4.      Removing Mapped Drives
•      Go to My Computer
•      Right click on the shared drive (if any)
•      Click disconnect in the menu.
•      This will remove the Shared Drive
 
5.      If user is using Adobe Reader  
•      Delete the Updater5 folder located at C:\Program Files\Common Files\Adobe as shown below
•      Delete the AdobeUpdater.dll file in the folder C:\Program Files\Adobe\Reader 8.0\Reader

6.      Remove the Stored passwords

•      Start->Run
•      Type Control UserPasswords2 in Run Menu
•      Go to AdvancedàManage Passwords
•      Remove all stored passwords

7.      Remove Unnecessary applications from  startup

•      Got o Start > Run
•      type MSCONFIG
•      Click on Startup Tab
•      Uncheck which is not required from startup

8.      Check Antivirus Client for Defn Update / Virus infections.

9.      Check for Third Party Softwares
•      Check for the Existence of Third Party Softwares and Remove

10.      Check for tasks like ( Apple task ), Disable all tasks
11.      
12.      Uninstall auto update software’s ( You can update these software’s manually)


Regards,
Manjunath S
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39265371
Check the account policy in  your AD management console; may there is something that is why its occurring again and again

if you are using windows 2008 then just go to your AD and check the properties of this user

or in 2003 you can go with mste.msc -> group policy management-> policies->windows setting-> security setting-> account locked out policy
0
Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 430 total points
ID: 39265411
If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.

Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Hope this helps
0
 
LVL 2

Expert Comment

by:titan123
ID: 39265743
What are you running, how many users, what is your current config?

It could be many reasons from licensing to user settings. What is the time frame from once you stup the account and when it stops working?

It can be due to the virus trying to use the users credentials. My anti Virus was also not detecting it. A quick way to check, would be to change the password account lockout policy, so that it doesnt lock out after entering the wrong password.

If that stops the problem you know that youve got something nasty on your network.
0
 

Author Comment

by:tips54
ID: 39308569
I got this issue resolved.  I had one of the ISO shares setup using my account.
0
 

Author Closing Comment

by:tips54
ID: 39544372
LockoutStatus helped me identify the issue
0

Featured Post

[Webinar] Code, Load, and Grow

Managing multiple websites, servers, applications, and security on a daily basis? Join us for a webinar on May 25th to learn how to simplify administration and management of virtual hosts for IT admins, create a secure environment, and deploy code more effectively and frequently.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article explains the steps required to use the default Photos screensaver to display branding/corporate images
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

751 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question