Solved

Account locked

Posted on 2013-10-29
16
355 Views
Last Modified: 2013-12-10
Greetings,

We have some users who have their account locked up every morning. They have these commun points:

They are using Windows 7 with service pack 1 and all updates are done.

They are using Outlook as email client with an Exchange account.

Details that might interest you:

Same troubleshooting have been done and they are not in the same branch but on the same domain.

We have reinstall from scratch the computers but the problem reapered the next time they logued in the system.

We have cleared the windows vault, cleared tempory files in the temp folder and temporary internet files and used disk cleanup.

We have used the delete feature in the internet option cheching everything.

After unlocking the account in Active Directory, we asked to reboot and to log again and the account is not locked. If it's not locked it remains ok for the rest of the day but we noticed that when account is locked is when the user log on the system when they get in the office to start their shift.

A logon script is used but it cannot be the cause or else everybody would have the same problem.

I do believe there is something between Active Directory and Exchange but cannot determine what it is.

Any suggestions ?
0
Comment
Question by:richelieuhq
16 Comments
 
LVL 53

Expert Comment

by:McKnife
ID: 39608352
Please consult the server logs to see where the lockout originated. You could also start the account lockout toolkit's GUI tool to find that out.
0
 
LVL 9

Expert Comment

by:M Roe
ID: 39608359
Are you running any virus or malware software on these computers
0
 
LVL 24

Expert Comment

by:lionelmm
ID: 39611391
It may also be that you have someone trying to gain access to your system and users are been locked out because of repeated attempts to try to figure out their passwords--make sure you have no malware, trojans or spybots on this systems.
0
 

Author Comment

by:richelieuhq
ID: 39611445
Hi We are usin Trend as the Antivirus and scanned the computers with malware bytes. Nothing was found.

I will come back to you with the server logs and toolkit's gui.

I will also have a look if there were logon attemp with their credentials on other computers.

Thanks
0
 

Author Comment

by:richelieuhq
ID: 39611517
For the question about loging with their credentials on multiple computers, i have fix that to 2 specific computer in Active Directory.

I will see if she locks her account for the rest of the week and come back to you.
0
 

Author Comment

by:richelieuhq
ID: 39631650
Here is the server log:

0xC0000234 user account has been automatically locked
0x0 Successful login
 
11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234
 
11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

Our administrator mentionned she was not locked from an unsucessful attempt on the proxy for the internet.

Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30


I will continu to investigate on my end to see if i can provide you more information.
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39631788
Again: where did the lockout originate? On what workstation was the account's password wrongly used? The logs can tell you. The Microsoft account lockout tools can help you telling it, too.

> Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30
So could it be someone else is using here account? Or some task or some stored network password in credential manager?
Please start with finding out the workstation where it happens.
0
 

Author Comment

by:richelieuhq
ID: 39639252
As you can see in the log, the lockout is from WDRIC436. I have connected on it to remove temp/stored password and all that stuff. No one else uses her computer and it is not a stored password or credential manager because, as i have explained in the begining, the windows vault is empty and the password saved in internet explorer were removed using the internet option.

On the other end, we found that she logued in a total of 5 computers since she works in the company. Her profile is only used in WDRIC436 tough. To elimininate the other computers out of the equation, we had her profile removed from the other computers.

She have not been locked this morning. I will keep you posted
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 53

Expert Comment

by:McKnife
ID: 39639367
The credential manager stores passwords per user not per machine, so there is not only one vault to clean but eventually several.
0
 

Accepted Solution

by:
richelieuhq earned 0 total points
ID: 39663511
After having her profile removed from the other computers, the problem was solved. I wanted to wait a little before coming back to you.

I will close the ticket now.

Thanks
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39663797
You mean "other computers"= not WDRIC436?
If so, is WDRIC436 your domain controller or a client?

I am trying to understand what might have been the cause, it would be niche if you answer these questions although it's solved.
0
 

Author Closing Comment

by:richelieuhq
ID: 39674125
Removing her profiles from other computers solved the problem
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39674223
Could you be so nice and answer the questions so that other's can benefit, too, like me?
0
 

Author Comment

by:richelieuhq
ID: 39690816
WDRIC436 is a standard pc computer with no special settings or function (like printer sharing or stuff like that)

For the other computers, it is not WDRIC436
0
 
LVL 53

Expert Comment

by:McKnife
ID: 39693908
Ok, thanks.
0
 

Author Comment

by:richelieuhq
ID: 39709496
You're welcome
0

Featured Post

Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

Join & Write a Comment

Ever notice how you can't use a new drive in Windows without having Windows assigning a Disk Signature?  Ever have a signature collision problem (especially with Virtual Machines?)  This article is intended to help you understand what's going on and…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now