Solved

Account always locks out - Active Directory

Posted on 2013-11-19
12
1,125 Views
Last Modified: 2014-02-10
Hi,

The user's account always locks out every morning. I have to unlock it every morning. The user is entering the right password too.

After I unlock it in the morning  , it stays the same for a while, then again tomorrow the user gets a error message that your account has to be reset in the morning.

Any suggestions?


Server: exchange server / active directory 2010
Client: Outlook 2010

Thanks
0
Comment
Question by:o0JoeCool0o
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
12 Comments
 
LVL 37

Expert Comment

by:Mahesh
ID: 39660782
Check if any schedule tasks on any servers \ workstation in the security context of user account
Check local DC security event logs for event ID 4740 in case of 2008 \ 2008 R2 OR 644 incase of 2003 server
In the event check caller computer name basicaly
For ex:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644
Once you identify caller computer name check for any schedule task , service or application configured to use user account..
may be due to virus attack..
Its likely user has chnaged password and schedule task \ app remains with old password

Thanks
0
 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39660801
under the security even logs for event 4740... there are few events ... they are not relevant to the user.

The user recently changed her phone, she also received e-mails on her phone too.

how can i check the schedule task / app etc and other things.

I checked the event log under security events... there is nothing relevant to this user.
0
 
LVL 11

Expert Comment

by:Satish Auti
ID: 39660858
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39660892
i am currently using lockoutstatus.exe to check when it locks. we just one server and it shows the one server only.

I spoke with the user... there is no old password configured on any other device.

she's a remote user and does not have mapped drives.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 39661196
So on the DC are you logging failed authentication attempts? In the security log on the DC simply filter the Security log for fails and find the time the lockout is reported in lockoutstatus. It should give you a source IP address from which the lockout was generated.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39661536
There may be many  causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Virus alert about the Win32/Conficker.B worm:
http://support.microsoft.com/kb/962007 

Conficker Worm: Help Protect Windows from Conficker
http://technet.microsoft.com/en-us/security/dd452420.aspx 

If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39664289
I have been in a similar situation before, the only way i was able to track down the source of the accont lockout was by unlocking the account and then running network monitor on the DC's filtering for authentication attempts
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39664305
On the user workstation if using Windows 7 did you clear all stored passwords under Credtial Manager
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39664307
I just had a thought are you using Exchange Active Sync if so have the user check the settings on there phone
0
 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39666338
how can i do this ---- running a network monitor on the DC's filtering for authentication attempts? How can i know the source ip that is causing the lockout attempts?

I did check her user settings on the phone and it all seems fine. I also cleared stored passwords under credential manager
0
 
LVL 20

Expert Comment

by:compdigit44
ID: 39666912
Yes, you would run Microsoft Network monitor on your DC's then filter for Authentication request. It a pain but the only way I was able to track down an account lockout issue.

Feel free to up load your packet trace if you would like me to help you review it.
0
 
LVL 4

Author Closing Comment

by:o0JoeCool0o
ID: 39848686
excellent
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question