Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1138
  • Last Modified:

Account always locks out - Active Directory

Hi,

The user's account always locks out every morning. I have to unlock it every morning. The user is entering the right password too.

After I unlock it in the morning  , it stays the same for a while, then again tomorrow the user gets a error message that your account has to be reset in the morning.

Any suggestions?


Server: exchange server / active directory 2010
Client: Outlook 2010

Thanks
0
o0JoeCool0o
Asked:
o0JoeCool0o
1 Solution
 
MaheshArchitectCommented:
Check if any schedule tasks on any servers \ workstation in the security context of user account
Check local DC security event logs for event ID 4740 in case of 2008 \ 2008 R2 OR 644 incase of 2003 server
In the event check caller computer name basicaly
For ex:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644
Once you identify caller computer name check for any schedule task , service or application configured to use user account..
may be due to virus attack..
Its likely user has chnaged password and schedule task \ app remains with old password

Thanks
0
 
o0JoeCool0oAuthor Commented:
under the security even logs for event 4740... there are few events ... they are not relevant to the user.

The user recently changed her phone, she also received e-mails on her phone too.

how can i check the schedule task / app etc and other things.

I checked the event log under security events... there is nothing relevant to this user.
0
 
Satish AutiSenior System AdministratorCommented:
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
Veeam Task Manager for Hyper-V

Task Manager for Hyper-V provides critical information that allows you to monitor Hyper-V performance by displaying real-time views of CPU and memory at the individual VM-level, so you can quickly identify which VMs are using host resources.

 
o0JoeCool0oAuthor Commented:
i am currently using lockoutstatus.exe to check when it locks. we just one server and it shows the one server only.

I spoke with the user... there is no old password configured on any other device.

she's a remote user and does not have mapped drives.
0
 
LearnctxEngineerCommented:
So on the DC are you logging failed authentication attempts? In the security log on the DC simply filter the Security log for fails and find the time the lockout is reported in lockoutstatus. It should give you a source IP address from which the lockout was generated.
0
 
SandeshdubeyCommented:
There may be many  causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Virus alert about the Win32/Conficker.B worm:
http://support.microsoft.com/kb/962007 

Conficker Worm: Help Protect Windows from Conficker
http://technet.microsoft.com/en-us/security/dd452420.aspx 

If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.
0
 
compdigit44Commented:
I have been in a similar situation before, the only way i was able to track down the source of the accont lockout was by unlocking the account and then running network monitor on the DC's filtering for authentication attempts
0
 
compdigit44Commented:
On the user workstation if using Windows 7 did you clear all stored passwords under Credtial Manager
0
 
compdigit44Commented:
I just had a thought are you using Exchange Active Sync if so have the user check the settings on there phone
0
 
o0JoeCool0oAuthor Commented:
how can i do this ---- running a network monitor on the DC's filtering for authentication attempts? How can i know the source ip that is causing the lockout attempts?

I did check her user settings on the phone and it all seems fine. I also cleared stored passwords under credential manager
0
 
compdigit44Commented:
Yes, you would run Microsoft Network monitor on your DC's then filter for Authentication request. It a pain but the only way I was able to track down an account lockout issue.

Feel free to up load your packet trace if you would like me to help you review it.
0
 
o0JoeCool0oAuthor Commented:
excellent
0

Featured Post

Visualize your virtual and backup environments

Create well-organized and polished visualizations of your virtual and backup environments when planning VMware vSphere, Microsoft Hyper-V or Veeam deployments. It helps you to gain better visibility and valuable business insights.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now