• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 546
  • Last Modified:

Account locked

Greetings,

We have some users who have their account locked up every morning. They have these commun points:

They are using Windows 7 with service pack 1 and all updates are done.

They are using Outlook as email client with an Exchange account.

Details that might interest you:

Same troubleshooting have been done and they are not in the same branch but on the same domain.

We have reinstall from scratch the computers but the problem reapered the next time they logued in the system.

We have cleared the windows vault, cleared tempory files in the temp folder and temporary internet files and used disk cleanup.

We have used the delete feature in the internet option cheching everything.

After unlocking the account in Active Directory, we asked to reboot and to log again and the account is not locked. If it's not locked it remains ok for the rest of the day but we noticed that when account is locked is when the user log on the system when they get in the office to start their shift.

A logon script is used but it cannot be the cause or else everybody would have the same problem.

I do believe there is something between Active Directory and Exchange but cannot determine what it is.

Any suggestions ?
0
richelieuhq
Asked:
richelieuhq
1 Solution
 
McKnifeCommented:
Please consult the server logs to see where the lockout originated. You could also start the account lockout toolkit's GUI tool to find that out.
0
 
Mike RoeCommented:
Are you running any virus or malware software on these computers
0
 
Lionel MMSmall Business IT ConsultantCommented:
It may also be that you have someone trying to gain access to your system and users are been locked out because of repeated attempts to try to figure out their passwords--make sure you have no malware, trojans or spybots on this systems.
0
Upgrade your Question Security!

Your question, your audience. Choose who sees your identity—and your question—with question security.

 
richelieuhqAuthor Commented:
Hi We are usin Trend as the Antivirus and scanned the computers with malware bytes. Nothing was found.

I will come back to you with the server logs and toolkit's gui.

I will also have a look if there were logon attemp with their credentials on other computers.

Thanks
0
 
richelieuhqAuthor Commented:
For the question about loging with their credentials on multiple computers, i have fix that to 2 specific computer in Active Directory.

I will see if she locks her account for the rest of the week and come back to you.
0
 
richelieuhqAuthor Commented:
Here is the server log:

0xC0000234 user account has been automatically locked
0x0 Successful login
 
11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234
 
11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

Our administrator mentionned she was not locked from an unsucessful attempt on the proxy for the internet.

Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30


I will continu to investigate on my end to see if i can provide you more information.
0
 
McKnifeCommented:
Again: where did the lockout originate? On what workstation was the account's password wrongly used? The logs can tell you. The Microsoft account lockout tools can help you telling it, too.

> Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30
So could it be someone else is using here account? Or some task or some stored network password in credential manager?
Please start with finding out the workstation where it happens.
0
 
richelieuhqAuthor Commented:
As you can see in the log, the lockout is from WDRIC436. I have connected on it to remove temp/stored password and all that stuff. No one else uses her computer and it is not a stored password or credential manager because, as i have explained in the begining, the windows vault is empty and the password saved in internet explorer were removed using the internet option.

On the other end, we found that she logued in a total of 5 computers since she works in the company. Her profile is only used in WDRIC436 tough. To elimininate the other computers out of the equation, we had her profile removed from the other computers.

She have not been locked this morning. I will keep you posted
0
 
McKnifeCommented:
The credential manager stores passwords per user not per machine, so there is not only one vault to clean but eventually several.
0
 
richelieuhqAuthor Commented:
After having her profile removed from the other computers, the problem was solved. I wanted to wait a little before coming back to you.

I will close the ticket now.

Thanks
0
 
McKnifeCommented:
You mean "other computers"= not WDRIC436?
If so, is WDRIC436 your domain controller or a client?

I am trying to understand what might have been the cause, it would be niche if you answer these questions although it's solved.
0
 
richelieuhqAuthor Commented:
Removing her profiles from other computers solved the problem
0
 
McKnifeCommented:
Could you be so nice and answer the questions so that other's can benefit, too, like me?
0
 
richelieuhqAuthor Commented:
WDRIC436 is a standard pc computer with no special settings or function (like printer sharing or stuff like that)

For the other computers, it is not WDRIC436
0
 
McKnifeCommented:
Ok, thanks.
0
 
richelieuhqAuthor Commented:
You're welcome
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now