[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

One domain user account getting locked out constantly

Posted on 2013-10-29
8
Medium Priority
?
7,611 Views
Last Modified: 2013-11-30
One user in a domain of about 100 users.  Using Microsofts "LockoutStatus.exe", I can watch this users domain account log a bad password attempt every 4 1/2 minutes and then lockout on one of my two domain controllers.  I've deleted his Activesync account on his phone, disabled Activesync on his domain account, deleted any credentials in "Credential Manager" on his Windows 7 laptop, and even SHUT THE LAPTOP DOWN, and nothing...I can still watch t he bad attempts and lockout happen.  If I disable his domain account, it stops.  I'm at a loss....Anyone run into this issue?  I was sure it was a rogue/old mobile device, but it doesn't appear that way now, unless deleting the mobile device pairing from Exchange Manager 2010 AND disabling Activesync wouldn't take care of that....Any ideas?  Not getting any failure events on the Windows DC either.....
0
Comment
Question by:tenover
8 Comments
 
LVL 3

Expert Comment

by:netmaster1355
ID: 39609796
some viruses such as kido also cause lockout issue. please check DC event viewer to find out which PC send lockout request. then you can decide about next actions. for e.g. scan that computer for viruses.
0
 

Author Comment

by:tenover
ID: 39609801
Not seeing any events in the DC event viewer.  I would see a logon Failure event, no?
0
 
LVL 3

Expert Comment

by:netmaster1355
ID: 39609843
if i am not wrong event ID 644 should be locked out info. search event viewer for this event ID.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39609952
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
0
 

Accepted Solution

by:
tenover earned 0 total points
ID: 39609956
Issue fixed for now.  Asked the user what his OLD password was, and then reset current domain password to one of the two he gave me.  The errors immediately stoped, so it looks like he DOES have an old mobile device out there that is still trying to ping the mail server with that old password.  Note:  Disabling ActiveSync and/or removing the mobile device/Exchange 2010 pairing does not stop the errors.....That seems strange to me.
0
 
LVL 18

Expert Comment

by:Steven Harris
ID: 39610302
Not to intrude, but this may help you diagnose in the future:

Event Log Notification via PowerShell and Task Scheduler
0
 
LVL 12

Expert Comment

by:Satish Auti
ID: 39610600
It happens if user has some map drives with old password (on his system or someone else) or stored passwords in some AD integrated applications for logon purpose...

Please check this also so u can use new password.
0
 

Author Closing Comment

by:tenover
ID: 39686659
Old device
0

Featured Post

Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
Measuring Server's processing rate with a simple powershell command. The differences in processing rate also was recorded in different use-cases, when a server in free and busy states.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question