Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 492
  • Last Modified:

Cannot clear account lockout

Our network was running fine.

Then, in default domain GP, I turned the account lockout feature on.

Pretty quickly, one (and only 1 of 300) user was being repeatedly locked out; ME! I'm the system administrator.

I researched the logs a little, then I just turned the account lockout feature off (values not defined)

This made no difference for my account; I still get locked out every 5 or 10 minutes (I haven't measured the exact interval)

So, I turned account lockout back on and changed the values to safe ones (from 7 failed logons, to 100 and reset after 2 minutes)

This made no difference; I still get locked out repeatedly.


Why can I not just turn account lockout off in default domain GP? (I did gpupdate on my machine after the changes mentioned above - it says it "completed successfully")

I downloaded the AL tools, am trying them now, but it is getting frustrating and I need help.

Domain controller - Win Svr 2008 server core
my PC = Win 7 Pro
0
cgunix
Asked:
cgunix
  • 3
  • 2
  • 2
  • +2
4 Solutions
 
jsdrayCommented:
do you have a script/scheduled task running under you're account somewhere?
0
 
jsdrayCommented:
maybe even a manual service you installed.....
0
 
cgunixAuthor Commented:
I would guess there are; however it would be rare that I would use my account for this - I'd use an account where the pw is not set to expire.

I thought that it must be a script/scheduled task and looked at the servers but didn't find any; can you give me a clue how to look for this? I looked in the Security log on servers for failed audits. I found some with my name, but couldn't figure out how to track it further

Thanks
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
CorinTackNetwork EngineerCommented:
Are you using any sort of remote mail with this account? (In particular, do you have any phones or tablets set up to check this account's e-mail?)

In the past, I've seen accounts get locked out like this because some device is trying to connect to the server, but the password on the device has been corrupted. It will keep trying to log in, and eventually get you locked out.
0
 
cgunixAuthor Commented:
No, no phones or tablets. I occasionally connect manually (OWA from a browser), but that is all

Do you have any idea why I still get locked out even with the policy off? (I thought it might be a propagation delay, but it persists even days after the GP change.)
0
 
CorinTackNetwork EngineerCommented:
Are you seeing anything unusual in the authentication logs (is it showing you trying to log in repeatedly) by any chance?
0
 
KCTSCommented:
NOT DEFINED does not mean OFF - it means leave it to whatever it set to
Set it to DISABLED to switch it OFF
0
 
piyushranusriSystem Cloud SpecialistCommented:
try with this.

1 Account Lockout and Management Tools
because reason for this could be many , so lets start with this first

2. power off your system and then try to log on by other system

3. http://anandthearchitect.com/2011/10/25/active-directory-account-lockout-issues/

4. can you find by which system it getting locked, refer this URL

http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Troubleshooting-Account-Lockout.html

5.  refer this article for more troubleshooting and diagnostic
http://social.technet.microsoft.com/Forums/windowsserver/en-US/6d2cd257-a641-45a7-b842-e938647d7977/domai-account-locked-out-frequently?forum=winserverDS


please share your output
0
 
cgunixAuthor Commented:
I ended up making a paid support call to Microsoft, and while helpful, the bloom is off that rose.

They pointed it to my machine and said I needed to  delete and reinstall  third party software . I ran Malwarebytes, it found hijack.drives. I chose "remove" and ran the same scan again, and it found it again. (I think there was a boot in there)

At that point I decided to nuke the drive and start over - you just never are sure if you get all of these things.

Thanks for the input

Larry
0
 
piyushranusriSystem Cloud SpecialistCommented:
its a good learning for us also.

thanks for sharing the cause.
0

Featured Post

Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

  • 3
  • 2
  • 2
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now