?
Solved

Account getting locked

Posted on 2013-11-13
8
Medium Priority
?
163 Views
Last Modified: 2014-11-20
one of the employee gets locked everyday at the same time in AD can someone please help me how could i get it traced.
0
Comment
Question by:Exchange_Don
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Accepted Solution

by:
Mohammed Tahir earned 2000 total points
ID: 39644188
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 39644585
could be a scheduled task somewhere using that user's account and bad/old password
0
 
LVL 14

Expert Comment

by:Andy M
ID: 39644601
It may be worth checking the Security Logs on the server around the time of the lock - it may show if there's been a large number of failed access attempts to the account to cause the lock out and should also give you an idea if it's happening on a network computer / external source from the IP address.
0
Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

 
LVL 2

Expert Comment

by:daniel0
ID: 39644620
Please have a look at this link . Now I'm sure for this as already tested. Few of my answer are been deleted

http://serverfault.com/questions/65265/finding-why-a-user-is-locked-out-in-active-directory

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Its just because for the reason due to the permission granted with in a domain this happen as some of the users get an advantage for that.

Thanks and please update if it helps you out.

And do check the port of that particluar user, else you can go for an third audit application also.
0
 
LVL 11

Expert Comment

by:Satish Auti
ID: 39645182
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39646244
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices
Some Useful links
http://social.technet.microsoft.com/Forums/windowsserver/en-US/88e0b12b-abac-42b8-b987-e49171fd9c3c/account-lockout-every-few-second
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39646821
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

Once the machine is traced you need to check few things

Possible reasons for an account to get locked out:
- A malicious user trying to get those passwords or another user playing a joke trying to log on as the name to deliberately lockout the account.
- A service/application that tries to authenticate with an old user password that hasn't been changed.
- A machine or multiple machines infected with the conficker worm (see link below to find out how to get rid of this)
- A scheduled task running using an old user password that hasn't been changed.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.

Hope this helps
0
 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
ID: 39646947
My money is on scheduled task or scheduled virus scan.
0

Featured Post

Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This article will help to fix the below errors for MS Exchange Server 2013 I. Certificate error "name on the security certificate is invalid or does not match the name of the site" II. Out of Office not working III. Make Internal URLs and Externa…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question