Solved

My AD account locks every 15 seconds.

Posted on 2013-06-20
7
2,261 Views
Last Modified: 2013-10-03
A couple of months ago I had an issue where my AD  account was locking up every few minutes.  

Now I am getting the same thing where my account is locking literally every 15 seconds. I have checked the event logs, account lock out tools.

What can I use to find out which service is locking my account?
0
Comment
Question by:tips54
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 15

Expert Comment

by:Rob Stone
ID: 39264357
It's been a while since I looked at this, but the process I used was:

Downloaded the tools (you've done this by the looks of things)
http://www.microsoft.com/en-us/download/details.aspx?id=18465

One of the tools would show what DC the request is going to first and you can then filter the security event viewer for your account lockout and see what IP address it's generating from.

From that host check any old remote settings, scheduled jobs, anything that may have your credentials cached and out of date.
0
 
LVL 11

Expert Comment

by:Manjunath Sullad
ID: 39264483
Hi ,

Please follow below steps to resolve account lockout issues.

Perform these steps on client side where you used to login.

1.      Check If a Local User Account is present with the same Name as AD account

Click on Start menu à run button type lusrmgr.msc
•      If Present Change/ Rename the local User account.

2.      Clearing Temporary Files

•      Take a fresh browser and select Internet Options from Tools Menu
•      Click on Delete Cookies
•      Click on Delete Files
•      Click on Clear History Button
•      This will clear all your temporary files and History.
•      Delete files in the Temp / Prefetch folder.

3.      Clearing Saved Passwords and Forms

•      Take a fresh browser and select Internet Options from Tools Menu
•      Select the content and click on ‘AutoComplete’
•      Click on clear forms and clear passwords
•      This will clear all the stored passwords


4.      Removing Mapped Drives
•      Go to My Computer
•      Right click on the shared drive (if any)
•      Click disconnect in the menu.
•      This will remove the Shared Drive
 
5.      If user is using Adobe Reader  
•      Delete the Updater5 folder located at C:\Program Files\Common Files\Adobe as shown below
•      Delete the AdobeUpdater.dll file in the folder C:\Program Files\Adobe\Reader 8.0\Reader

6.      Remove the Stored passwords

•      Start->Run
•      Type Control UserPasswords2 in Run Menu
•      Go to AdvancedàManage Passwords
•      Remove all stored passwords

7.      Remove Unnecessary applications from  startup

•      Got o Start > Run
•      type MSCONFIG
•      Click on Startup Tab
•      Uncheck which is not required from startup

8.      Check Antivirus Client for Defn Update / Virus infections.

9.      Check for Third Party Softwares
•      Check for the Existence of Third Party Softwares and Remove

10.      Check for tasks like ( Apple task ), Disable all tasks
11.      
12.      Uninstall auto update software’s ( You can update these software’s manually)


Regards,
Manjunath S
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39265371
Check the account policy in  your AD management console; may there is something that is why its occurring again and again

if you are using windows 2008 then just go to your AD and check the properties of this user

or in 2003 you can go with mste.msc -> group policy management-> policies->windows setting-> security setting-> account locked out policy
0
Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 430 total points
ID: 39265411
If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.

Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Hope this helps
0
 
LVL 2

Expert Comment

by:titan123
ID: 39265743
What are you running, how many users, what is your current config?

It could be many reasons from licensing to user settings. What is the time frame from once you stup the account and when it stops working?

It can be due to the virus trying to use the users credentials. My anti Virus was also not detecting it. A quick way to check, would be to change the password account lockout policy, so that it doesnt lock out after entering the wrong password.

If that stops the problem you know that youve got something nasty on your network.
0
 

Author Comment

by:tips54
ID: 39308569
I got this issue resolved.  I had one of the ISO shares setup using my account.
0
 

Author Closing Comment

by:tips54
ID: 39544372
LockoutStatus helped me identify the issue
0

Featured Post

Salesforce Has Never Been Easier

Improve and reinforce salesforce training & adoption using WalkMe's digital adoption platform. Start saving on costly employee training by creating fast intuitive Walk-Thrus for Salesforce. Claim your Free Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question