Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Account getting locked

Posted on 2013-11-13
8
Medium Priority
?
164 Views
Last Modified: 2014-11-20
one of the employee gets locked everyday at the same time in AD can someone please help me how could i get it traced.
0
Comment
Question by:Exchange_Don
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 7

Accepted Solution

by:
Mohammed Tahir earned 2000 total points
ID: 39644188
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 39644585
could be a scheduled task somewhere using that user's account and bad/old password
0
 
LVL 14

Expert Comment

by:Andy M
ID: 39644601
It may be worth checking the Security Logs on the server around the time of the lock - it may show if there's been a large number of failed access attempts to the account to cause the lock out and should also give you an idea if it's happening on a network computer / external source from the IP address.
0
What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

 
LVL 2

Expert Comment

by:daniel0
ID: 39644620
Please have a look at this link . Now I'm sure for this as already tested. Few of my answer are been deleted

http://serverfault.com/questions/65265/finding-why-a-user-is-locked-out-in-active-directory

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Its just because for the reason due to the permission granted with in a domain this happen as some of the users get an advantage for that.

Thanks and please update if it helps you out.

And do check the port of that particluar user, else you can go for an third audit application also.
0
 
LVL 11

Expert Comment

by:Satish Auti
ID: 39645182
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39646244
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices
Some Useful links
http://social.technet.microsoft.com/Forums/windowsserver/en-US/88e0b12b-abac-42b8-b987-e49171fd9c3c/account-lockout-every-few-second
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39646821
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

Once the machine is traced you need to check few things

Possible reasons for an account to get locked out:
- A malicious user trying to get those passwords or another user playing a joke trying to log on as the name to deliberately lockout the account.
- A service/application that tries to authenticate with an old user password that hasn't been changed.
- A machine or multiple machines infected with the conficker worm (see link below to find out how to get rid of this)
- A scheduled task running using an old user password that hasn't been changed.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.

Hope this helps
0
 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
ID: 39646947
My money is on scheduled task or scheduled virus scan.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory can easily get cluttered with unused service, user and computer accounts. In this article, I will show you the way I like to implement ADCleanup..
As much as Microsoft wants to kill off PST file support, just as they tried to do with public folders, there are still times when it is useful or downright necessary to export Exchange mailboxes to PST files. Thankfully, it is still possible to e…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question