Solved

One domain user account getting locked out constantly

Posted on 2013-10-29
8
6,898 Views
Last Modified: 2013-11-30
One user in a domain of about 100 users.  Using Microsofts "LockoutStatus.exe", I can watch this users domain account log a bad password attempt every 4 1/2 minutes and then lockout on one of my two domain controllers.  I've deleted his Activesync account on his phone, disabled Activesync on his domain account, deleted any credentials in "Credential Manager" on his Windows 7 laptop, and even SHUT THE LAPTOP DOWN, and nothing...I can still watch t he bad attempts and lockout happen.  If I disable his domain account, it stops.  I'm at a loss....Anyone run into this issue?  I was sure it was a rogue/old mobile device, but it doesn't appear that way now, unless deleting the mobile device pairing from Exchange Manager 2010 AND disabling Activesync wouldn't take care of that....Any ideas?  Not getting any failure events on the Windows DC either.....
0
Comment
Question by:tenover
8 Comments
 
LVL 3

Expert Comment

by:netmaster1355
ID: 39609796
some viruses such as kido also cause lockout issue. please check DC event viewer to find out which PC send lockout request. then you can decide about next actions. for e.g. scan that computer for viruses.
0
 

Author Comment

by:tenover
ID: 39609801
Not seeing any events in the DC event viewer.  I would see a logon Failure event, no?
0
 
LVL 3

Expert Comment

by:netmaster1355
ID: 39609843
if i am not wrong event ID 644 should be locked out info. search event viewer for this event ID.
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39609952
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If the event id 644 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html
0
Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

 

Accepted Solution

by:
tenover earned 0 total points
ID: 39609956
Issue fixed for now.  Asked the user what his OLD password was, and then reset current domain password to one of the two he gave me.  The errors immediately stoped, so it looks like he DOES have an old mobile device out there that is still trying to ping the mail server with that old password.  Note:  Disabling ActiveSync and/or removing the mobile device/Exchange 2010 pairing does not stop the errors.....That seems strange to me.
0
 
LVL 18

Expert Comment

by:Steven Harris
ID: 39610302
Not to intrude, but this may help you diagnose in the future:

Event Log Notification via PowerShell and Task Scheduler
0
 
LVL 4

Expert Comment

by:Satish Auti
ID: 39610600
It happens if user has some map drives with old password (on his system or someone else) or stored passwords in some AD integrated applications for logon purpose...

Please check this also so u can use new password.
0
 

Author Closing Comment

by:tenover
ID: 39686659
Old device
0

Featured Post

Save on storage to protect fatherhood memories

You're the dad who has everything. This Father's Day, make sure your family memories are protected. My Passport Ultra has automatic backup and password protection to keep your cherished photos and videos safe. With up to 3TB, you have plenty of room to hold the adventures ahead.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Windows 2012 R2 Server -- SERIVCES checklist ? 4 104
Super Scope, DHCP 5 54
Copy the files from the share to network PCs 4 27
Group policy backup error 8 26
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now