Solved

Account getting locked

Posted on 2013-11-13
8
162 Views
Last Modified: 2014-11-20
one of the employee gets locked everyday at the same time in AD can someone please help me how could i get it traced.
0
Comment
Question by:Exchange_Don
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Accepted Solution

by:
Mohammed Tahir earned 500 total points
ID: 39644188
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 39644585
could be a scheduled task somewhere using that user's account and bad/old password
0
 
LVL 14

Expert Comment

by:Andy M
ID: 39644601
It may be worth checking the Security Logs on the server around the time of the lock - it may show if there's been a large number of failed access attempts to the account to cause the lock out and should also give you an idea if it's happening on a network computer / external source from the IP address.
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 2

Expert Comment

by:daniel0
ID: 39644620
Please have a look at this link . Now I'm sure for this as already tested. Few of my answer are been deleted

http://serverfault.com/questions/65265/finding-why-a-user-is-locked-out-in-active-directory

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Its just because for the reason due to the permission granted with in a domain this happen as some of the users get an advantage for that.

Thanks and please update if it helps you out.

And do check the port of that particluar user, else you can go for an third audit application also.
0
 
LVL 10

Expert Comment

by:Satish Auti
ID: 39645182
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39646244
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices
Some Useful links
http://social.technet.microsoft.com/Forums/windowsserver/en-US/88e0b12b-abac-42b8-b987-e49171fd9c3c/account-lockout-every-few-second
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39646821
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

Once the machine is traced you need to check few things

Possible reasons for an account to get locked out:
- A malicious user trying to get those passwords or another user playing a joke trying to log on as the name to deliberately lockout the account.
- A service/application that tries to authenticate with an old user password that hasn't been changed.
- A machine or multiple machines infected with the conficker worm (see link below to find out how to get rid of this)
- A scheduled task running using an old user password that hasn't been changed.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.

Hope this helps
0
 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
ID: 39646947
My money is on scheduled task or scheduled virus scan.
0

Featured Post

Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Unified and professional email signatures help maintain a consistent company brand image to the outside world. This article shows how to create an email signature in Exchange Server 2010 using a transport rule and how to overcome native limitations …
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

691 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question