Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action. Forget about retraining and skyrocket knowledge retention rates.
Course Of The Month
6 days, 14 hours left to enrollBecome a Premium Member and unlock a new, free course in leading technologies each month.
Solved
Account AD lockout on
Posted on 2013-06-25
We have a user who using smart phone using activesync to sync company email. We are running Exchange 2007.
User change the AD password recently and didn't the new password on device. User reported that whenever device sync the email this will cause the password on AD locked.
The Wintel who working on this issue, informed us this AD lockout was due to Exchange CAS server.
They provided the event ID:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: DC09$
Account Domain: Contoso
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: Contoso\sani
Account Name: sani
Additional Information:
Caller Computer Name: ExchangeCA02
Please advice if issue AD lock out due to ExchangeCA02
User change the AD password recently and didn't the new password on device. User reported that whenever device sync the email this will cause the password on AD locked.
The Wintel who working on this issue, informed us this AD lockout was due to Exchange CAS server.
They provided the event ID:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: DC09$
Account Domain: Contoso
Logon ID: 0x3e7
Account That Was Locked Out:
Security ID: Contoso\sani
Account Name: sani
Additional Information:
Caller Computer Name: ExchangeCA02
Please advice if issue AD lock out due to ExchangeCA02
[X]
Welcome to Experts Exchange
Add your voice to the tech community where 5M+ people just like you are talking about what matters.
- Help others & share knowledge
- Earn cash & points
- Learn & ask questions
4-
4
2- +3
13 Comments
Active 1 day ago
I don't under what you are actually asking.
If the user changes their password, but doesn't change the password in the phone then it is going to lock out the account. The account lockout will come from Exchange because that is where the authentication is happening. You get a small window where the old password works, but then the user needs to change the password entry on the device.
Simon.
If the user changes their password, but doesn't change the password in the phone then it is going to lock out the account. The account lockout will come from Exchange because that is where the authentication is happening. You get a small window where the old password works, but then the user needs to change the password entry on the device.
Simon.
Hi,
Take back-up and wipe the device(smart phone) (i mean un-install active sync). Then configure active sync in the smart phone. It will work, the lockout issue won't occur again if the source is your smart phone active sync connection.
You can also clear cache in your workstation(may be some cached password stored in workstation can cause this issue). In the Log it is given that through CAS server it's getting locked also better to check for any session exist in CAS server with the user ID.
Thanks..,:)
Take back-up and wipe the device(smart phone) (i mean un-install active sync). Then configure active sync in the smart phone. It will work, the lockout issue won't occur again if the source is your smart phone active sync connection.
You can also clear cache in your workstation(may be some cached password stored in workstation can cause this issue). In the Log it is given that through CAS server it's getting locked also better to check for any session exist in CAS server with the user ID.
Thanks..,:)
You need to change password on device too.Change the password in smart phone and you should be looking good.
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
Hi,
Check this
http://www.petri.co.il/forums/showthread.php?t=21486
Exchange 2007 ActiveSync policy locks phones
and
Exchange 2007 CAS AD account lockouts
http://www.networksteve.com/exchange/topic.php/Exchange_2007_CAS_AD_account_lockouts/?TopicId=24814&Posts=0
Hope that helps :)
Check this
http://www.petri.co.il/forums/showthread.php?t=21486
Exchange 2007 ActiveSync policy locks phones
and
Exchange 2007 CAS AD account lockouts
http://www.networksteve.com/exchange/topic.php/Exchange_2007_CAS_AD_account_lockouts/?TopicId=24814&Posts=0
Hope that helps :)
Active 3 days ago
Dear All,
I have password policy in AD, whereby any failed attempt more than 3 times, the password will lockout.
Let say password had changed the password due to password age requirement. User is able access laptop/map drive/outlook.
I understand the activesync phone will authenticate with server to sync the email but let say 1st attempt to sync the mail, it should be failed due to password changed.
How frequent the phone will authenticate with server to sync the phone?
I have password policy in AD, whereby any failed attempt more than 3 times, the password will lockout.
Let say password had changed the password due to password age requirement. User is able access laptop/map drive/outlook.
I understand the activesync phone will authenticate with server to sync the email but let say 1st attempt to sync the mail, it should be failed due to password changed.
How frequent the phone will authenticate with server to sync the phone?
Active 3 days ago
HERE IS FULL LOG:
200.44.173.196 is a Load Balancing Hardware for Exchange Client Access
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 6/26/2013 11:20:03 AM
Event ID: 4625
Task Category: Logon
Level: Information
Keywords: Audit Failure
User: N/A
Computer: EXCHCA01.site1.CORP.contoso.com
Description:
An account failed to log on.
Subject:
Security ID: SYSTEM
Account Name: EXCHCA01$
Account Domain: site1
Logon ID: 0x3e7
Logon Type: 8
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: SANI
Account Domain: site1
Failure Information:
Failure Reason: Unknown user name or bad password.
Status: 0xc000006d
Sub Status: 0xc000006a
Process Information:
Caller Process ID: 0xc28
Caller Process Name: C:\Windows\System32\inetsrv\w3wp.exe
Network Information:
Workstation Name: EXCHCA01
Source Network Address: 200.44.173.196
Source Port: 28210
Detailed Authentication Information:
Logon Process: Advapi
Authentication Package: Negotiate
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4625</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8010000000000000</Keywords>
<TimeCreated SystemTime="2013-06-26T03:20:03.097Z" />
<EventRecordID>577862646</EventRecordID>
<Correlation />
<Execution ProcessID="652" ThreadID="4304" />
<Channel>Security</Channel>
<Computer>EXCHCA01.site1.CORP.contoso.com</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">EXCHCA01$</Data>
<Data Name="SubjectDomainName">site1</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-0-0</Data>
<Data Name="TargetUserName">SANI</Data>
<Data Name="TargetDomainName">site1</Data>
<Data Name="Status">0xc000006d</Data>
<Data Name="FailureReason">%%2313</Data>
<Data Name="SubStatus">0xc000006a</Data>
<Data Name="LogonType">8</Data>
<Data Name="LogonProcessName">Advapi </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">EXCHCA01</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0xc28</Data>
<Data Name="ProcessName">C:\Windows\System32\inetsrv\w3wp.exe</Data>
<Data Name="IpAddress">200.44.173.196</Data>
<Data Name="IpPort">28210</Data>
</EventData>
</Event>
200.44.173.196 is a Load Balancing Hardware for Exchange Client Access
If the phone devices is on each time it sync with exchange it will look for authentication.If the invalid attempt passed for x count as mentioned in GPO the account will be locked. The attempts are coming from:200.44.173.196.
Active 1 day ago
The old password can continue to work for some time after it has been changed, because ActiveSync maintains an extended session.
The behaviour is outlined in this KB article:
http://support.microsoft.com/kb/2612821
Simon.
The behaviour is outlined in this KB article:
http://support.microsoft.com/kb/2612821
Simon.
Active 3 days ago
The activesync on exchange server was disabled for a week however when we check on u_ex130710.log (today log), it show that there is incoming activesync from SAMSUNG phone. User didn't use this phone anymore(don't know where the phone is :) )
How do I can stop this.
2013-07-10 00:05:03 10.10.10.22 OPTIONS /Microsoft-Server-ActiveSync/default .eas Cmd=OPTIONS&User=Contoso%5 Csani&Devi ceId=SEC18 51C45AFC9B 9&DeviceTy pe=SAMSUNG GTN7105 443 Contoso\sani 200.44.173.196 SAMSUNG-GT-N7105/100.40102 401 1 1909 0
How do I can stop this.
Active 3 days ago
Clear-ActiveSyncDevice failed:
Shall I enabled the Activesync features on Sani's mailbox? since I disabled it since a week ago
[PS] C:\>Clear-ActiveSyncDevice-Identity sani -WhatIf
Clear-ActiveSyncDevice : Cannot bind parameter 'Identity'. Cannot convert value "imtckm" to type "Microsoft.Exchange.Ma
nagement.Tasks.MobileDeviceIdParamet er". Error: "sani is not a valid identity string for the mobile device. Call the
Get-ActiveSyncDeviceStatistics cmdlet by providing the -Mailbox property along with the user name. Example: Get-ActiveS
yncDeviceStatistics -Mailbox [user name]
Parameter name: deviceIdentity"
At line:1 char:33
+ Clear-ActiveSyncDevice -Identity <<<< sani -WhatIf
Shall I enabled the Activesync features on Sani's mailbox? since I disabled it since a week ago
I also have a similar problem and spend a lot of tije for finding root cause. You need to check the authentication log to the CAS server (Edge server) under path below if you want to know the root cause.
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs
To solve the problem quickly, what you can try is change the username, ex: peter, change to peter222 at Active Directory. User also need to update the login ID for his machine and device after you change.
I believe the user won't get "locked out" issue again.
Hope this can help you.
C:\Program Files\Microsoft\Exchange Server\TransportRoles\Logs
To solve the problem quickly, what you can try is change the username, ex: peter, change to peter222 at Active Directory. User also need to update the login ID for his machine and device after you change.
I believe the user won't get "locked out" issue again.
Hope this can help you.
Featured Post
Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.
Question has a verified solution.
If you are experiencing a similar issue, please ask a related question
Suggested Solutions
| Title | # Comments | Views | Activity |
|---|---|---|---|
| script to trace the email in Office365 | 4 | 49 | |
| Exchange 2010 to Exchange 2016 - VERY slow Mailbox Move | 4 | 106 | |
| Office 365 Spam | 3 | 31 | |
| Migration of public folders - Exchange 2010 | 2 | 35 |
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article describes my battle tested process for setting up delegation.
I use this process anywhere that I need to setup delegation.
In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA).
For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651
If you want to manage em…
Suggested Courses
Course of the Month6 days, 14 hours left to enroll
734 members asked questions and received personalized solutions in the past 7 days.
Join the community of 500,000 technology professionals and ask your questions.