Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 7880
  • Last Modified:

One domain user account getting locked out constantly

One user in a domain of about 100 users.  Using Microsofts "LockoutStatus.exe", I can watch this users domain account log a bad password attempt every 4 1/2 minutes and then lockout on one of my two domain controllers.  I've deleted his Activesync account on his phone, disabled Activesync on his domain account, deleted any credentials in "Credential Manager" on his Windows 7 laptop, and even SHUT THE LAPTOP DOWN, and nothing...I can still watch t he bad attempts and lockout happen.  If I disable his domain account, it stops.  I'm at a loss....Anyone run into this issue?  I was sure it was a rogue/old mobile device, but it doesn't appear that way now, unless deleting the mobile device pairing from Exchange Manager 2010 AND disabling Activesync wouldn't take care of that....Any ideas?  Not getting any failure events on the Windows DC either.....
0
tenover
Asked:
tenover
1 Solution
 
netmaster1355Commented:
some viruses such as kido also cause lockout issue. please check DC event viewer to find out which PC send lockout request. then you can decide about next actions. for e.g. scan that computer for viruses.
0
 
tenoverAuthor Commented:
Not seeing any events in the DC event viewer.  I would see a logon Failure event, no?
0
 
netmaster1355Commented:
if i am not wrong event ID 644 should be locked out info. search event viewer for this event ID.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
SandeshdubeySenior Server EngineerCommented:
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
0
 
tenoverAuthor Commented:
Issue fixed for now.  Asked the user what his OLD password was, and then reset current domain password to one of the two he gave me.  The errors immediately stoped, so it looks like he DOES have an old mobile device out there that is still trying to ping the mail server with that old password.  Note:  Disabling ActiveSync and/or removing the mobile device/Exchange 2010 pairing does not stop the errors.....That seems strange to me.
0
 
Steven HarrisPresidentCommented:
Not to intrude, but this may help you diagnose in the future:

Event Log Notification via PowerShell and Task Scheduler
0
 
Satish AutiSenior System AdministratorCommented:
It happens if user has some map drives with old password (on his system or someone else) or stored passwords in some AD integrated applications for logon purpose...

Please check this also so u can use new password.
0
 
tenoverAuthor Commented:
Old device
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now