Solved

Account getting locked

Posted on 2013-11-13
8
159 Views
Last Modified: 2014-11-20
one of the employee gets locked everyday at the same time in AD can someone please help me how could i get it traced.
0
Comment
Question by:Exchange_Don
8 Comments
 
LVL 7

Accepted Solution

by:
Mohammed Tahir earned 500 total points
ID: 39644188
0
 
LVL 5

Expert Comment

by:warddhooghe
ID: 39644585
could be a scheduled task somewhere using that user's account and bad/old password
0
 
LVL 13

Expert Comment

by:Andy M
ID: 39644601
It may be worth checking the Security Logs on the server around the time of the lock - it may show if there's been a large number of failed access attempts to the account to cause the lock out and should also give you an idea if it's happening on a network computer / external source from the IP address.
0
Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

 
LVL 2

Expert Comment

by:daniel0
ID: 39644620
Please have a look at this link . Now I'm sure for this as already tested. Few of my answer are been deleted

http://serverfault.com/questions/65265/finding-why-a-user-is-locked-out-in-active-directory

http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Its just because for the reason due to the permission granted with in a domain this happen as some of the users get an advantage for that.

Thanks and please update if it helps you out.

And do check the port of that particluar user, else you can go for an third audit application also.
0
 
LVL 6

Expert Comment

by:Satish Auti
ID: 39645182
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
 
LVL 5

Expert Comment

by:Pankaj_401
ID: 39646244
There may be many causes for account locked out.
•      user's account in stored user name and passwords
•      user's account tied to persistent mapped drive
•      user's account as a service account
•      user's account used as an IIS application pool identity
•      user's account tied to a scheduled task
•      un-suspending a virtual machine after a user's pw as changed
•      Mobile devices
Some Useful links
http://social.technet.microsoft.com/Forums/windowsserver/en-US/88e0b12b-abac-42b8-b987-e49171fd9c3c/account-lockout-every-few-second
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_28269386.html
0
 
LVL 24

Expert Comment

by:Sandeshdubey
ID: 39646821
On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.

Once the machine is traced you need to check few things

Possible reasons for an account to get locked out:
- A malicious user trying to get those passwords or another user playing a joke trying to log on as the name to deliberately lockout the account.
- A service/application that tries to authenticate with an old user password that hasn't been changed.
- A machine or multiple machines infected with the conficker worm (see link below to find out how to get rid of this)
- A scheduled task running using an old user password that hasn't been changed.

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.

Hope this helps
0
 
LVL 4

Expert Comment

by:FutureTechSysDOTcom
ID: 39646947
My money is on scheduled task or scheduled virus scan.
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
In-place Upgrading Dirsync to Azure AD Connect
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question