One domain user account getting locked out constantly

One user in a domain of about 100 users.  Using Microsofts "LockoutStatus.exe", I can watch this users domain account log a bad password attempt every 4 1/2 minutes and then lockout on one of my two domain controllers.  I've deleted his Activesync account on his phone, disabled Activesync on his domain account, deleted any credentials in "Credential Manager" on his Windows 7 laptop, and even SHUT THE LAPTOP DOWN, and nothing...I can still watch t he bad attempts and lockout happen.  If I disable his domain account, it stops.  I'm at a loss....Anyone run into this issue?  I was sure it was a rogue/old mobile device, but it doesn't appear that way now, unless deleting the mobile device pairing from Exchange Manager 2010 AND disabling Activesync wouldn't take care of that....Any ideas?  Not getting any failure events on the Windows DC either.....
tenoverAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
tenoverConnect With a Mentor Author Commented:
Issue fixed for now.  Asked the user what his OLD password was, and then reset current domain password to one of the two he gave me.  The errors immediately stoped, so it looks like he DOES have an old mobile device out there that is still trying to ping the mail server with that old password.  Note:  Disabling ActiveSync and/or removing the mobile device/Exchange 2010 pairing does not stop the errors.....That seems strange to me.
0
 
netmaster1355Commented:
some viruses such as kido also cause lockout issue. please check DC event viewer to find out which PC send lockout request. then you can decide about next actions. for e.g. scan that computer for viruses.
0
 
tenoverAuthor Commented:
Not seeing any events in the DC event viewer.  I would see a logon Failure event, no?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
netmaster1355Commented:
if i am not wrong event ID 644 should be locked out info. search event viewer for this event ID.
0
 
SandeshdubeySenior Server EngineerCommented:
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
0
 
Steven HarrisPresidentCommented:
Not to intrude, but this may help you diagnose in the future:

Event Log Notification via PowerShell and Task Scheduler
0
 
Satish AutiSenior System AdministratorCommented:
It happens if user has some map drives with old password (on his system or someone else) or stored passwords in some AD integrated applications for logon purpose...

Please check this also so u can use new password.
0
 
tenoverAuthor Commented:
Old device
0
All Courses

From novice to tech pro — start learning today.