Windows User Account Keeps Getting Locked for no apparent reason.

We are operating on a Windows 2003 AD domain, and we have about 20 users on this single domain.  Nothing elaborate, and simply a straight forward simply AD domain setup.  All users are setup identically in that they are part of the same security groups with similar access to network drives, etc.

Of all these users, I have one account that keeps getting locked out for no apparent reason.  We've tried resetting her password several times, but after a week or so her account suddenly becomes locked.  Just now while she was accessing a MS Word document on a network drive that she accesses all the time, she was locked out with a popup stating:

"Restoring Network Connections:  An error occurred while reconnecting W: to \\server\share Microsoft Windows Network:  The local device name is already in use.  This connection has not been restored."

She has 5 other network drive mappings and they were all locked out.  They all point to the same file server as well.  I could not create new drive mappings either, so we rebooted.  She was able to log on to her computer, but the drive mappings derived the same error.  I checked her user profile and her account was locked.  I unlocked it and all is well.  

This sort of problem repeatedly happens with this user.  It happens at any given moment while she is in the middle of working.  I even went ahead and swapped out her computer and setup a new local user profile.  I thought there might be some sort of corruption with the local profile on her original machine, so I went ahead and swapped out computers with another user.  The lockout issue happens with the new computer as well.  The next step is creating a new AD user profile.  Do you have any idea why a user profile suddenly locks out a user when they know their password, the reset password period has not expired, and no virus or malware is detected?
cmp119IT ManagerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
This usually occurs if the user is signed onto another system or at one point they ticked the "remember password field" when signing into something.  For windows 7 you can look at the credential manager and see if there are any saved password (aka old passwords) that keep attempting to be used.  Did this user sign onto another system at one point and do the above, those would have to be checked also.

If the user also is connected to activesync (phone), make sure to update that password as well.
0
cmp119IT ManagerAuthor Commented:
Credential Manager is clean on this computer for this user.  This user's profile does not have access to ActiveSync.  This user can only logon to this computer.
0
Nick RhodeIT DirectorCommented:
And the users name and password was not used/setup anywhere else?  Scanner for SMB share, OWA or something on another system etc?
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

cmp119IT ManagerAuthor Commented:
I found the following error on our DC.  I cannot find any other errors pertaining to this user account on an DC.  All event logs are clean.

Event Type:      Error
Event Source:      KDC
Event Category:      None
Event ID:      26
Date:            9/24/2013
Time:            8:06:50 AM
User:            N/A
Computer:      NEMESIS
Description:
While processing an AS request for target service krbtgt, the account THolmes did not  have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 18.  The accounts available etypes were 23  -133  -128  3  -140.

For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
0
cmp119IT ManagerAuthor Commented:
This user cannot access OWA, and we do not use SMB shares.
0
Will SzymkowskiSenior Solution ArchitectCommented:
If you do not have any sort of AD Logging/Audit software to point this out, the only way to see what is happening is in the Security Logs of the DC. How many DC's do you have in your environment? with only 20 users i am assuming that you only have one DC?

If this is the case login to your DC and increase the log file size (as many get overwritten due to consistent authentication). From there you will need to monitor exactly when the user encounters this lockout symptom. Once that has happened login to the DC and filter on "Audit failure". From there you should be able to find out what machine it is coming from and on what ports/applicaiton.

This gets difficult if you have more then 1 DC in your environment (which most companies do). This means that the client can be authenticating to a particular DC and then switch to another DC in your environment.

You can use a program called ADAuditPlus which is not free but they have a 30day free trial to use which will easily sort out your issues.

ADAudit Plus: http://www.manageengine.com/products/active-directory-audit/

Here is another PAQ which was accepted using this application...
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28241804.html

Thanks

Will.
0
cmp119IT ManagerAuthor Commented:
The primary DC holding all the fsmo roles is s a Windows 2003 DC.  I added a Windows 2012 DC 5 months ago.  At that time I also removed another Windows 2003 DC clean.  Meaning I was able to run dcpro to remove it.  This user has had this problem for over a year now.  It's sporadic in that everything may work fine for a month or so, and then it happens.  It could take months before it returns.
0
Will SzymkowskiSenior Solution ArchitectCommented:
The only thing you can do if it is sporatic is increase the log size and wait for the user to update you the next time it happens. only bad thing about this is that if the user does not update you in a decent period of time your logs might overwrite themselves at that point.

Using ADAudit Plus is more then just password lockouts etc. With a small environment it might be overkill as not many people may have access to change the AD environment but it is a good reporting tool and you would not have to rely on the user to update your with this information.
0
cmp119IT ManagerAuthor Commented:
The event log is sufficiently providing an adequate amount of information.  I found the same error for this user dated 9/16/2013 at 8:01am, 9/12/2013 at 8:02am, 9/10/2013 at 1:04pm, 9/10/2013 at 7:57am.  Then on 9/9/2013 at 8:01am I see the same error for another user.  These KDC errors are mostly for the user that gets her account locked out, and seldom for 2 or 3 other users.  These 2 or 3 other users don't experience the lockout issue.
0
w_richardCommented:
Use lockout tools from MS to track this down.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465

instructions

http://technet.microsoft.com/en-us/library/cc738772(WS.10).aspx

you can see which DC the account is getting locked out on and look at the event logs there and you can also install a DLL on the users workstation to see what is actually locking them out. Great set of tools.

And moreover please see as to as the, Has the user changed their password recently? This issue (their account gets mysteriously locked out but ONLY while Outlook is running) sometimes crops up at our place when laptops users change their password. I suspect their Windows cached credentials are still somehow associated with the old password. Or that Outlook somehow has a cached set of credientials (although I don't think Outlook even has such a thing?)

If you want please try these steps manually also..

Control Panel -> User Accounts -> Advanced tab -> Manage Passwords

Thanks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
cmp119IT ManagerAuthor Commented:
We located the lockout issue on one of the two DCs.  I am working with Dell Support on the exact cause.
0
cmp119IT ManagerAuthor Commented:
Thank you for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows 7

From novice to tech pro — start learning today.