Solved

Account locked

Posted on 2013-10-29
16
379 Views
Last Modified: 2013-12-10
Greetings,

We have some users who have their account locked up every morning. They have these commun points:

They are using Windows 7 with service pack 1 and all updates are done.

They are using Outlook as email client with an Exchange account.

Details that might interest you:

Same troubleshooting have been done and they are not in the same branch but on the same domain.

We have reinstall from scratch the computers but the problem reapered the next time they logued in the system.

We have cleared the windows vault, cleared tempory files in the temp folder and temporary internet files and used disk cleanup.

We have used the delete feature in the internet option cheching everything.

After unlocking the account in Active Directory, we asked to reboot and to log again and the account is not locked. If it's not locked it remains ok for the rest of the day but we noticed that when account is locked is when the user log on the system when they get in the office to start their shift.

A logon script is used but it cannot be the cause or else everybody would have the same problem.

I do believe there is something between Active Directory and Exchange but cannot determine what it is.

Any suggestions ?
0
Comment
Question by:richelieuhq
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
16 Comments
 
LVL 54

Expert Comment

by:McKnife
ID: 39608352
Please consult the server logs to see where the lockout originated. You could also start the account lockout toolkit's GUI tool to find that out.
0
 
LVL 9

Expert Comment

by:M Roe
ID: 39608359
Are you running any virus or malware software on these computers
0
 
LVL 25

Expert Comment

by:Lionel MM
ID: 39611391
It may also be that you have someone trying to gain access to your system and users are been locked out because of repeated attempts to try to figure out their passwords--make sure you have no malware, trojans or spybots on this systems.
0
Salesforce Made Easy to Use

On-screen guidance at the moment of need enables you & your employees to focus on the core, you can now boost your adoption rates swiftly and simply with one easy tool.

 

Author Comment

by:richelieuhq
ID: 39611445
Hi We are usin Trend as the Antivirus and scanned the computers with malware bytes. Nothing was found.

I will come back to you with the server logs and toolkit's gui.

I will also have a look if there were logon attemp with their credentials on other computers.

Thanks
0
 

Author Comment

by:richelieuhq
ID: 39611517
For the question about loging with their credentials on multiple computers, i have fix that to 2 specific computer in Active Directory.

I will see if she locks her account for the rest of the week and come back to you.
0
 

Author Comment

by:richelieuhq
ID: 39631650
Here is the server log:

0xC0000234 user account has been automatically locked
0x0 Successful login
 
11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Entered

11/06 06:19:34 [LOGON] RICHELIEUHQ: SamLogon: Transitive Network logon of RICHELIEUHQ\zcomfortin from WDRIC436 (via SRICSVC02) Returns 0xC0000234
 
11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:55:12 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:58:50 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 06:59:06 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 07:01:45 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0
 
11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Entered

11/06 08:29:18 [LOGON] RICHELIEUHQ: SamLogon: Network logon of RICHELIEUHQ\zcomfortin from \\WDRIC436 (via SRICPXY03) Returns 0x0

Our administrator mentionned she was not locked from an unsucessful attempt on the proxy for the internet.

Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30


I will continu to investigate on my end to see if i can provide you more information.
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39631788
Again: where did the lockout originate? On what workstation was the account's password wrongly used? The logs can tell you. The Microsoft account lockout tools can help you telling it, too.

> Funny thing is the 5th of November, she got locked at 06:15 am but she gets in the office around 07h30
So could it be someone else is using here account? Or some task or some stored network password in credential manager?
Please start with finding out the workstation where it happens.
0
 

Author Comment

by:richelieuhq
ID: 39639252
As you can see in the log, the lockout is from WDRIC436. I have connected on it to remove temp/stored password and all that stuff. No one else uses her computer and it is not a stored password or credential manager because, as i have explained in the begining, the windows vault is empty and the password saved in internet explorer were removed using the internet option.

On the other end, we found that she logued in a total of 5 computers since she works in the company. Her profile is only used in WDRIC436 tough. To elimininate the other computers out of the equation, we had her profile removed from the other computers.

She have not been locked this morning. I will keep you posted
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39639367
The credential manager stores passwords per user not per machine, so there is not only one vault to clean but eventually several.
0
 

Accepted Solution

by:
richelieuhq earned 0 total points
ID: 39663511
After having her profile removed from the other computers, the problem was solved. I wanted to wait a little before coming back to you.

I will close the ticket now.

Thanks
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39663797
You mean "other computers"= not WDRIC436?
If so, is WDRIC436 your domain controller or a client?

I am trying to understand what might have been the cause, it would be niche if you answer these questions although it's solved.
0
 

Author Closing Comment

by:richelieuhq
ID: 39674125
Removing her profiles from other computers solved the problem
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39674223
Could you be so nice and answer the questions so that other's can benefit, too, like me?
0
 

Author Comment

by:richelieuhq
ID: 39690816
WDRIC436 is a standard pc computer with no special settings or function (like printer sharing or stuff like that)

For the other computers, it is not WDRIC436
0
 
LVL 54

Expert Comment

by:McKnife
ID: 39693908
Ok, thanks.
0
 

Author Comment

by:richelieuhq
ID: 39709496
You're welcome
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question