Windows User Account Keeps Getting Locked for no apparent reason.
We are operating on a Windows 2003 AD domain, and we have about 20 users on this single domain. Nothing elaborate, and simply a straight forward simply AD domain setup. All users are setup identically in that they are part of the same security groups with similar access to network drives, etc.
Of all these users, I have one account that keeps getting locked out for no apparent reason. We've tried resetting her password several times, but after a week or so her account suddenly becomes locked. Just now while she was accessing a MS Word document on a network drive that she accesses all the time, she was locked out with a popup stating:
"Restoring Network Connections: An error occurred while reconnecting W: to \\server\share Microsoft Windows Network: The local device name is already in use. This connection has not been restored."
She has 5 other network drive mappings and they were all locked out. They all point to the same file server as well. I could not create new drive mappings either, so we rebooted. She was able to log on to her computer, but the drive mappings derived the same error. I checked her user profile and her account was locked. I unlocked it and all is well.
This sort of problem repeatedly happens with this user. It happens at any given moment while she is in the middle of working. I even went ahead and swapped out her computer and setup a new local user profile. I thought there might be some sort of corruption with the local profile on her original machine, so I went ahead and swapped out computers with another user. The lockout issue happens with the new computer as well. The next step is creating a new AD user profile. Do you have any idea why a user profile suddenly locks out a user when they know their password, the reset password period has not expired, and no virus or malware is detected?
Of all these users, I have one account that keeps getting locked out for no apparent reason. We've tried resetting her password several times, but after a week or so her account suddenly becomes locked. Just now while she was accessing a MS Word document on a network drive that she accesses all the time, she was locked out with a popup stating:
"Restoring Network Connections: An error occurred while reconnecting W: to \\server\share Microsoft Windows Network: The local device name is already in use. This connection has not been restored."
She has 5 other network drive mappings and they were all locked out. They all point to the same file server as well. I could not create new drive mappings either, so we rebooted. She was able to log on to her computer, but the drive mappings derived the same error. I checked her user profile and her account was locked. I unlocked it and all is well.
This sort of problem repeatedly happens with this user. It happens at any given moment while she is in the middle of working. I even went ahead and swapped out her computer and setup a new local user profile. I thought there might be some sort of corruption with the local profile on her original machine, so I went ahead and swapped out computers with another user. The lockout issue happens with the new computer as well. The next step is creating a new AD user profile. Do you have any idea why a user profile suddenly locks out a user when they know their password, the reset password period has not expired, and no virus or malware is detected?
ASKER
Credential Manager is clean on this computer for this user. This user's profile does not have access to ActiveSync. This user can only logon to this computer.
And the users name and password was not used/setup anywhere else? Scanner for SMB share, OWA or something on another system etc?
ASKER
I found the following error on our DC. I cannot find any other errors pertaining to this user account on an DC. All event logs are clean.
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 26
Date: 9/24/2013
Time: 8:06:50 AM
User: N/A
Computer: NEMESIS
Description:
While processing an AS request for target service krbtgt, the account THolmes did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 -140.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
Event Type: Error
Event Source: KDC
Event Category: None
Event ID: 26
Date: 9/24/2013
Time: 8:06:50 AM
User: N/A
Computer: NEMESIS
Description:
While processing an AS request for target service krbtgt, the account THolmes did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 2). The requested etypes were 18. The accounts available etypes were 23 -133 -128 3 -140.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.
ASKER
This user cannot access OWA, and we do not use SMB shares.
If you do not have any sort of AD Logging/Audit software to point this out, the only way to see what is happening is in the Security Logs of the DC. How many DC's do you have in your environment? with only 20 users i am assuming that you only have one DC?
If this is the case login to your DC and increase the log file size (as many get overwritten due to consistent authentication). From there you will need to monitor exactly when the user encounters this lockout symptom. Once that has happened login to the DC and filter on "Audit failure". From there you should be able to find out what machine it is coming from and on what ports/applicaiton.
This gets difficult if you have more then 1 DC in your environment (which most companies do). This means that the client can be authenticating to a particular DC and then switch to another DC in your environment.
You can use a program called ADAuditPlus which is not free but they have a 30day free trial to use which will easily sort out your issues.
ADAudit Plus: http://www.manageengine.com/products/active-directory-audit/
Here is another PAQ which was accepted using this application...
https://www.experts-exchange.com/questions/28241804/AD-Logging-Email-Address-Change.html
Thanks
Will.
If this is the case login to your DC and increase the log file size (as many get overwritten due to consistent authentication). From there you will need to monitor exactly when the user encounters this lockout symptom. Once that has happened login to the DC and filter on "Audit failure". From there you should be able to find out what machine it is coming from and on what ports/applicaiton.
This gets difficult if you have more then 1 DC in your environment (which most companies do). This means that the client can be authenticating to a particular DC and then switch to another DC in your environment.
You can use a program called ADAuditPlus which is not free but they have a 30day free trial to use which will easily sort out your issues.
ADAudit Plus: http://www.manageengine.com/products/active-directory-audit/
Here is another PAQ which was accepted using this application...
https://www.experts-exchange.com/questions/28241804/AD-Logging-Email-Address-Change.html
Thanks
Will.
ASKER
The primary DC holding all the fsmo roles is s a Windows 2003 DC. I added a Windows 2012 DC 5 months ago. At that time I also removed another Windows 2003 DC clean. Meaning I was able to run dcpro to remove it. This user has had this problem for over a year now. It's sporadic in that everything may work fine for a month or so, and then it happens. It could take months before it returns.
The only thing you can do if it is sporatic is increase the log size and wait for the user to update you the next time it happens. only bad thing about this is that if the user does not update you in a decent period of time your logs might overwrite themselves at that point.
Using ADAudit Plus is more then just password lockouts etc. With a small environment it might be overkill as not many people may have access to change the AD environment but it is a good reporting tool and you would not have to rely on the user to update your with this information.
Using ADAudit Plus is more then just password lockouts etc. With a small environment it might be overkill as not many people may have access to change the AD environment but it is a good reporting tool and you would not have to rely on the user to update your with this information.
ASKER
The event log is sufficiently providing an adequate amount of information. I found the same error for this user dated 9/16/2013 at 8:01am, 9/12/2013 at 8:02am, 9/10/2013 at 1:04pm, 9/10/2013 at 7:57am. Then on 9/9/2013 at 8:01am I see the same error for another user. These KDC errors are mostly for the user that gets her account locked out, and seldom for 2 or 3 other users. These 2 or 3 other users don't experience the lockout issue.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We located the lockout issue on one of the two DCs. I am working with Dell Support on the exact cause.
ASKER
Thank you for your help.
If the user also is connected to activesync (phone), make sure to update that password as well.