Solved

Account locked

Posted on 2013-10-29
16
418 Views
Last Modified: 2013-12-10
Greetings,

We have some users who have their account locked up every morning. They have these commun points:

They are using Windows 7 with service pack 1 and all updates are done.

They are using Outlook as email client with an Exchange account.

Details that might interest you:

Same troubleshooting have been done and they are not in the same branch but on the same domain.

We have reinstall from scratch the computers but the problem reapered the next time they logued in the system.

We have cleared the windows vault, cleared tempory files in the temp folder and temporary internet files and used disk cleanup.

We have used the delete feature in the internet option cheching everything.

After unlocking the account in Active Directory, we asked to reboot and to log again and the account is not locked. If it's not locked it remains ok for the rest of the day but we noticed that when account is locked is when the user log on the system when they get in the office to start their shift.

A logon script is used but it cannot be the cause or else everybody would have the same problem.

I do believe there is something between Active Directory and Exchange but cannot determine what it is.

Any suggestions ?
0
Comment
Question by:richelieuhq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 55

Expert Comment

by:McKnife
ID: 39608352
Please consult the server logs to see where the lockout originated. You could also start the account lockout toolkit's GUI tool to find that out.
0
 
LVL 9

Expert Comment

by:M Roe
ID: 39608359
Are you running any virus or malware software on these computers
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 39611391
It may also be that you have someone trying to gain access to your system and users are been locked out because of repeated attempts to try to figure out their passwords--make sure you have no malware, trojans or spybots on this systems.
0
WordPress Tutorial 2: Terminology

An important part of learning any new piece of software is understanding the terminology it uses. Thankfully WordPress uses fairly simple names for everything that make it easy to start using the software.

 

Author Comment

by:richelieuhq
ID: 39611445
Hi We are usin Trend as the Antivirus and scanned the computers with malware bytes. Nothing was found.

I will come back to you with the server logs and toolkit's gui.

I will also have a look if there were logon attemp with their credentials on other computers.

Thanks
0
 

Author Comment

by:richelieuhq
ID: 39611517
For the question about loging with their credentials on multiple computers, i have fix that to 2 specific computer in Active Directory.

I will see if she locks her account for the rest of the week and come back to you.
0
 

Author Comment

by:richelieuhq
ID: 39631650
Here is the server log:

0xC0000234 user account has been automatically locked
0x0 Successful login
 
11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234
 
11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

Our administrator mentionned she was not locked from an unsucessful attempt on the proxy for the internet.

Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30


I will continu to investigate on my end to see if i can provide you more information.
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39631788
Again: where did the lockout originate? On what workstation was the account's password wrongly used? The logs can tell you. The Microsoft account lockout tools can help you telling it, too.

> Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30
So could it be someone else is using here account? Or some task or some stored network password in credential manager?
Please start with finding out the workstation where it happens.
0
 

Author Comment

by:richelieuhq
ID: 39639252
As you can see in the log, the lockout is from WDRIC436. I have connected on it to remove temp/stored password and all that stuff. No one else uses her computer and it is not a stored password or credential manager because, as i have explained in the begining, the windows vault is empty and the password saved in internet explorer were removed using the internet option.

On the other end, we found that she logued in a total of 5 computers since she works in the company. Her profile is only used in WDRIC436 tough. To elimininate the other computers out of the equation, we had her profile removed from the other computers.

She have not been locked this morning. I will keep you posted
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39639367
The credential manager stores passwords per user not per machine, so there is not only one vault to clean but eventually several.
0
 

Accepted Solution

by:
richelieuhq earned 0 total points
ID: 39663511
After having her profile removed from the other computers, the problem was solved. I wanted to wait a little before coming back to you.

I will close the ticket now.

Thanks
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39663797
You mean "other computers"= not WDRIC436?
If so, is WDRIC436 your domain controller or a client?

I am trying to understand what might have been the cause, it would be niche if you answer these questions although it's solved.
0
 

Author Closing Comment

by:richelieuhq
ID: 39674125
Removing her profiles from other computers solved the problem
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39674223
Could you be so nice and answer the questions so that other's can benefit, too, like me?
0
 

Author Comment

by:richelieuhq
ID: 39690816
WDRIC436 is a standard pc computer with no special settings or function (like printer sharing or stuff like that)

For the other computers, it is not WDRIC436
0
 
LVL 55

Expert Comment

by:McKnife
ID: 39693908
Ok, thanks.
0
 

Author Comment

by:richelieuhq
ID: 39709496
You're welcome
0

Featured Post

Optimize your web performance

What's in the eBook?
- Full list of reasons for poor performance
- Ultimate measures to speed things up
- Primary web monitoring types
- KPIs you should be monitoring in order to increase your ROI

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article is a collection of issues that people face from time to time and possible solutions to those issues. I hope you enjoy reading it.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question