?
Solved

One domain user account getting locked out constantly

Posted on 2013-10-29
8
Medium Priority
?
7,400 Views
Last Modified: 2013-11-30
One user in a domain of about 100 users.  Using Microsofts "LockoutStatus.exe", I can watch this users domain account log a bad password attempt every 4 1/2 minutes and then lockout on one of my two domain controllers.  I've deleted his Activesync account on his phone, disabled Activesync on his domain account, deleted any credentials in "Credential Manager" on his Windows 7 laptop, and even SHUT THE LAPTOP DOWN, and nothing...I can still watch t he bad attempts and lockout happen.  If I disable his domain account, it stops.  I'm at a loss....Anyone run into this issue?  I was sure it was a rogue/old mobile device, but it doesn't appear that way now, unless deleting the mobile device pairing from Exchange Manager 2010 AND disabling Activesync wouldn't take care of that....Any ideas?  Not getting any failure events on the Windows DC either.....
0
Comment
Question by:tenover
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 3

Expert Comment

by:netmaster1355
ID: 39609796
some viruses such as kido also cause lockout issue. please check DC event viewer to find out which PC send lockout request. then you can decide about next actions. for e.g. scan that computer for viruses.
0
 

Author Comment

by:tenover
ID: 39609801
Not seeing any events in the DC event viewer.  I would see a logon Failure event, no?
0
 
LVL 3

Expert Comment

by:netmaster1355
ID: 39609843
if i am not wrong event ID 644 should be locked out info. search event viewer for this event ID.
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39609952
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
0
 

Accepted Solution

by:
tenover earned 0 total points
ID: 39609956
Issue fixed for now.  Asked the user what his OLD password was, and then reset current domain password to one of the two he gave me.  The errors immediately stoped, so it looks like he DOES have an old mobile device out there that is still trying to ping the mail server with that old password.  Note:  Disabling ActiveSync and/or removing the mobile device/Exchange 2010 pairing does not stop the errors.....That seems strange to me.
0
 
LVL 18

Expert Comment

by:Steven Harris
ID: 39610302
Not to intrude, but this may help you diagnose in the future:

Event Log Notification via PowerShell and Task Scheduler
0
 
LVL 11

Expert Comment

by:Satish Auti
ID: 39610600
It happens if user has some map drives with old password (on his system or someone else) or stored passwords in some AD integrated applications for logon purpose...

Please check this also so u can use new password.
0
 

Author Closing Comment

by:tenover
ID: 39686659
Old device
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question