[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 166
  • Last Modified:

Account getting locked

one of the employee gets locked everyday at the same time in AD can someone please help me how could i get it traced.
0
Exchange_Don
Asked:
Exchange_Don
1 Solution
 
warddhoogheCommented:
could be a scheduled task somewhere using that user's account and bad/old password
0
 
Andy MIT Systems ManagerCommented:
It may be worth checking the Security Logs on the server around the time of the lock - it may show if there's been a large number of failed access attempts to the account to cause the lock out and should also give you an idea if it's happening on a network computer / external source from the IP address.
0
Nothing ever in the clear!

This technical paper will help you implement VMware’s VM encryption as well as implement Veeam encryption which together will achieve the nothing ever in the clear goal. If a bad guy steals VMs, backups or traffic they get nothing.

 
daniel0Commented:
Please have a look at this link . Now I'm sure for this as already tested. Few of my answer are been deleted

http://serverfault.com/questions/65265/finding-why-a-user-is-locked-out-in-active-directory

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Its just because for the reason due to the permission granted with in a domain this happen as some of the users get an advantage for that.

Thanks and please update if it helps you out.

And do check the port of that particluar user, else you can go for an third audit application also.
0
 
Satish AutiSenior System AdministratorCommented:
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
 
Pankaj_401Commented:
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices
Some Useful links
http://social.technet.microsoft.com/Forums/windowsserver/en-US/88e0b12b-abac-42b8-b987-e49171fd9c3c/account-lockout-every-few-second
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
0
 
SandeshdubeyCommented:
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

Once the machine is traced you need to check few things

Possible reasons for an account to get locked out:
- A malicious user trying to get those passwords or another user playing a joke trying to log on as the name to deliberately lockout the account.
- A service/application that tries to authenticate with an old user password that hasn't been changed.
- A machine or multiple machines infected with the conficker worm (see link below to find out how to get rid of this)
- A scheduled task running using an old user password that hasn't been changed.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.

Hope this helps
0
 
FutureTechSysDOTcomCommented:
My money is on scheduled task or scheduled virus scan.
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now