Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Account locked

Posted on 2013-10-29
16
Medium Priority
?
463 Views
Last Modified: 2013-12-10
Greetings,

We have some users who have their account locked up every morning. They have these commun points:

They are using Windows 7 with service pack 1 and all updates are done.

They are using Outlook as email client with an Exchange account.

Details that might interest you:

Same troubleshooting have been done and they are not in the same branch but on the same domain.

We have reinstall from scratch the computers but the problem reapered the next time they logued in the system.

We have cleared the windows vault, cleared tempory files in the temp folder and temporary internet files and used disk cleanup.

We have used the delete feature in the internet option cheching everything.

After unlocking the account in Active Directory, we asked to reboot and to log again and the account is not locked. If it's not locked it remains ok for the rest of the day but we noticed that when account is locked is when the user log on the system when they get in the office to start their shift.

A logon script is used but it cannot be the cause or else everybody would have the same problem.

I do believe there is something between Active Directory and Exchange but cannot determine what it is.

Any suggestions ?
0
Comment
Question by:richelieuhq
16 Comments
 
LVL 57

Expert Comment

by:McKnife
ID: 39608352
Please consult the server logs to see where the lockout originated. You could also start the account lockout toolkit's GUI tool to find that out.
0
 
LVL 9

Expert Comment

by:Mike Roe
ID: 39608359
Are you running any virus or malware software on these computers
0
 
LVL 26

Expert Comment

by:Lionel MM
ID: 39611391
It may also be that you have someone trying to gain access to your system and users are been locked out because of repeated attempts to try to figure out their passwords--make sure you have no malware, trojans or spybots on this systems.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 

Author Comment

by:richelieuhq
ID: 39611445
Hi We are usin Trend as the Antivirus and scanned the computers with malware bytes. Nothing was found.

I will come back to you with the server logs and toolkit's gui.

I will also have a look if there were logon attemp with their credentials on other computers.

Thanks
0
 

Author Comment

by:richelieuhq
ID: 39611517
For the question about loging with their credentials on multiple computers, i have fix that to 2 specific computer in Active Directory.

I will see if she locks her account for the rest of the week and come back to you.
0
 

Author Comment

by:richelieuhq
ID: 39631650
Here is the server log:

0xC0000234 user account has been automatically locked
0x0 Successful login
 
11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234
 
11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

Our administrator mentionned she was not locked from an unsucessful attempt on the proxy for the internet.

Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30


I will continu to investigate on my end to see if i can provide you more information.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39631788
Again: where did the lockout originate? On what workstation was the account's password wrongly used? The logs can tell you. The Microsoft account lockout tools can help you telling it, too.

> Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30
So could it be someone else is using here account? Or some task or some stored network password in credential manager?
Please start with finding out the workstation where it happens.
0
 

Author Comment

by:richelieuhq
ID: 39639252
As you can see in the log, the lockout is from WDRIC436. I have connected on it to remove temp/stored password and all that stuff. No one else uses her computer and it is not a stored password or credential manager because, as i have explained in the begining, the windows vault is empty and the password saved in internet explorer were removed using the internet option.

On the other end, we found that she logued in a total of 5 computers since she works in the company. Her profile is only used in WDRIC436 tough. To elimininate the other computers out of the equation, we had her profile removed from the other computers.

She have not been locked this morning. I will keep you posted
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39639367
The credential manager stores passwords per user not per machine, so there is not only one vault to clean but eventually several.
0
 

Accepted Solution

by:
richelieuhq earned 0 total points
ID: 39663511
After having her profile removed from the other computers, the problem was solved. I wanted to wait a little before coming back to you.

I will close the ticket now.

Thanks
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39663797
You mean "other computers"= not WDRIC436?
If so, is WDRIC436 your domain controller or a client?

I am trying to understand what might have been the cause, it would be niche if you answer these questions although it's solved.
0
 

Author Closing Comment

by:richelieuhq
ID: 39674125
Removing her profiles from other computers solved the problem
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39674223
Could you be so nice and answer the questions so that other's can benefit, too, like me?
0
 

Author Comment

by:richelieuhq
ID: 39690816
WDRIC436 is a standard pc computer with no special settings or function (like printer sharing or stuff like that)

For the other computers, it is not WDRIC436
0
 
LVL 57

Expert Comment

by:McKnife
ID: 39693908
Ok, thanks.
0
 

Author Comment

by:richelieuhq
ID: 39709496
You're welcome
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A small collection of useful tips and tricks for Windows 10 users that I decided to write as a result of recent questions that were asked and answered at Experts Exchange. Two short video tutorials included. Enjoy..
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

971 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question