Solved

Cannot clear account lockout

Posted on 2013-10-25
10
466 Views
Last Modified: 2013-10-31
Our network was running fine.

Then, in default domain GP, I turned the account lockout feature on.

Pretty quickly, one (and only 1 of 300) user was being repeatedly locked out; ME! I'm the system administrator.

I researched the logs a little, then I just turned the account lockout feature off (values not defined)

This made no difference for my account; I still get locked out every 5 or 10 minutes (I haven't measured the exact interval)

So, I turned account lockout back on and changed the values to safe ones (from 7 failed logons, to 100 and reset after 2 minutes)

This made no difference; I still get locked out repeatedly.


Why can I not just turn account lockout off in default domain GP? (I did gpupdate on my machine after the changes mentioned above - it says it "completed successfully")

I downloaded the AL tools, am trying them now, but it is getting frustrating and I need help.

Domain controller - Win Svr 2008 server core
my PC = Win 7 Pro
0
Comment
Question by:cgunix
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +2
10 Comments
 
LVL 9

Expert Comment

by:jsdray
ID: 39601614
do you have a script/scheduled task running under you're account somewhere?
0
 
LVL 9

Assisted Solution

by:jsdray
jsdray earned 100 total points
ID: 39601623
maybe even a manual service you installed.....
0
 

Author Comment

by:cgunix
ID: 39601630
I would guess there are; however it would be rare that I would use my account for this - I'd use an account where the pw is not set to expire.

I thought that it must be a script/scheduled task and looked at the servers but didn't find any; can you give me a clue how to look for this? I looked in the Security log on servers for failed audits. I found some with my name, but couldn't figure out how to track it further

Thanks
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 7

Assisted Solution

by:CorinTack
CorinTack earned 100 total points
ID: 39601635
Are you using any sort of remote mail with this account? (In particular, do you have any phones or tablets set up to check this account's e-mail?)

In the past, I've seen accounts get locked out like this because some device is trying to connect to the server, but the password on the device has been corrupted. It will keep trying to log in, and eventually get you locked out.
0
 

Author Comment

by:cgunix
ID: 39601651
No, no phones or tablets. I occasionally connect manually (OWA from a browser), but that is all

Do you have any idea why I still get locked out even with the policy off? (I thought it might be a propagation delay, but it persists even days after the GP change.)
0
 
LVL 7

Expert Comment

by:CorinTack
ID: 39601656
Are you seeing anything unusual in the authentication logs (is it showing you trying to log in repeatedly) by any chance?
0
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 100 total points
ID: 39601665
NOT DEFINED does not mean OFF - it means leave it to whatever it set to
Set it to DISABLED to switch it OFF
0
 
LVL 8

Accepted Solution

by:
piyushranusri earned 200 total points
ID: 39602188
try with this.

1 Account Lockout and Management Tools
because reason for this could be many , so lets start with this first

2. power off your system and then try to log on by other system

3. http://anandthearchitect.com/2011/10/25/active-directory-account-lockout-issues/

4. can you find by which system it getting locked, refer this URL

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Troubleshooting-Account-Lockout.html

5.  refer this article for more troubleshooting and diagnostic
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6d2cd257-a641-45a7-b842-e938647d7977/domai-account-locked-out-frequently?forum=winserverDS


please share your output
0
 

Author Closing Comment

by:cgunix
ID: 39614951
I ended up making a paid support call to Microsoft, and while helpful, the bloom is off that rose.

They pointed it to my machine and said I needed to  delete and reinstall  third party software . I ran Malwarebytes, it found hijack.drives. I chose "remove" and ran the same scan again, and it found it again. (I think there was a boot in there)

At that point I decided to nuke the drive and start over - you just never are sure if you get all of these things.

Thanks for the input

Larry
0
 
LVL 8

Expert Comment

by:piyushranusri
ID: 39615887
its a good learning for us also.

thanks for sharing the cause.
0

Featured Post

Creating Instructional Tutorials  

For Any Use & On Any Platform

Contextual Guidance at the moment of need helps your employees/users adopt software o& achieve even the most complex tasks instantly. Boost knowledge retention, software adoption & employee engagement with easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Background Information Recently I have fixed file server permission issues for one of my client. The client has 1800 users and one Windows Server 2008 R2 domain joined file server with 12 TB of data, 250+ shared folders and the folder structure i…
It’s been over a month into 2017, and there is already a sophisticated Gmail phishing email making it rounds. New techniques and tactics, have given hackers a way to authentically impersonate your contacts.How it Works The attack works by targeti…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question