Account always locks out - Active Directory
Hi,
The user's account always locks out every morning. I have to unlock it every morning. The user is entering the right password too.
After I unlock it in the morning , it stays the same for a while, then again tomorrow the user gets a error message that your account has to be reset in the morning.
Any suggestions?
Server: exchange server / active directory 2010
Client: Outlook 2010
Thanks
The user's account always locks out every morning. I have to unlock it every morning. The user is entering the right password too.
After I unlock it in the morning , it stays the same for a while, then again tomorrow the user gets a error message that your account has to be reset in the morning.
Any suggestions?
Server: exchange server / active directory 2010
Client: Outlook 2010
Thanks
ASKER
under the security even logs for event 4740... there are few events ... they are not relevant to the user.
The user recently changed her phone, she also received e-mails on her phone too.
how can i check the schedule task / app etc and other things.
I checked the event log under security events... there is nothing relevant to this user.
The user recently changed her phone, she also received e-mails on her phone too.
how can i check the schedule task / app etc and other things.
I checked the event log under security events... there is nothing relevant to this user.
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.
may be there is a old password still configured in some application which you configured with this account.
Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
may be there is a old password still configured in some application which you configured with this account.
Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
ASKER
i am currently using lockoutstatus.exe to check when it locks. we just one server and it shows the one server only.
I spoke with the user... there is no old password configured on any other device.
she's a remote user and does not have mapped drives.
I spoke with the user... there is no old password configured on any other device.
she's a remote user and does not have mapped drives.
So on the DC are you logging failed authentication attempts? In the security log on the DC simply filter the Security log for fails and find the time the lockout is reported in lockoutstatus. It should give you a source IP address from which the lockout was generated.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I have been in a similar situation before, the only way i was able to track down the source of the accont lockout was by unlocking the account and then running network monitor on the DC's filtering for authentication attempts
On the user workstation if using Windows 7 did you clear all stored passwords under Credtial Manager
I just had a thought are you using Exchange Active Sync if so have the user check the settings on there phone
ASKER
how can i do this ---- running a network monitor on the DC's filtering for authentication attempts? How can i know the source ip that is causing the lockout attempts?
I did check her user settings on the phone and it all seems fine. I also cleared stored passwords under credential manager
I did check her user settings on the phone and it all seems fine. I also cleared stored passwords under credential manager
Yes, you would run Microsoft Network monitor on your DC's then filter for Authentication request. It a pain but the only way I was able to track down an account lockout issue.
Feel free to up load your packet trace if you would like me to help you review it.
Feel free to up load your packet trace if you would like me to help you review it.
ASKER
excellent
Check local DC security event logs for event ID 4740 in case of 2008 \ 2008 R2 OR 644 incase of 2003 server
In the event check caller computer name basicaly
For ex:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644
Once you identify caller computer name check for any schedule task , service or application configured to use user account..
may be due to virus attack..
Its likely user has chnaged password and schedule task \ app remains with old password
Thanks