Solved

Account always locks out - Active Directory

Posted on 2013-11-19
12
1,092 Views
Last Modified: 2014-02-10
Hi,

The user's account always locks out every morning. I have to unlock it every morning. The user is entering the right password too.

After I unlock it in the morning  , it stays the same for a while, then again tomorrow the user gets a error message that your account has to be reset in the morning.

Any suggestions?


Server: exchange server / active directory 2010
Client: Outlook 2010

Thanks
0
Comment
Question by:o0JoeCool0o
12 Comments
 
LVL 35

Expert Comment

by:Mahesh
ID: 39660782
Check if any schedule tasks on any servers \ workstation in the security context of user account
Check local DC security event logs for event ID 4740 in case of 2008 \ 2008 R2 OR 644 incase of 2003 server
In the event check caller computer name basicaly
For ex:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644
Once you identify caller computer name check for any schedule task , service or application configured to use user account..
may be due to virus attack..
Its likely user has chnaged password and schedule task \ app remains with old password

Thanks
0
 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39660801
under the security even logs for event 4740... there are few events ... they are not relevant to the user.

The user recently changed her phone, she also received e-mails on her phone too.

how can i check the schedule task / app etc and other things.

I checked the event log under security events... there is nothing relevant to this user.
0
 
LVL 4

Expert Comment

by:Satish Auti
ID: 39660858
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39660892
i am currently using lockoutstatus.exe to check when it locks. we just one server and it shows the one server only.

I spoke with the user... there is no old password configured on any other device.

she's a remote user and does not have mapped drives.
0
 
LVL 16

Expert Comment

by:Learnctx
ID: 39661196
So on the DC are you logging failed authentication attempts? In the security log on the DC simply filter the Security log for fails and find the time the lockout is reported in lockoutstatus. It should give you a source IP address from which the lockout was generated.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39661536
There may be many  causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Virus alert about the Win32/Conficker.B worm:
http://support.microsoft.com/kb/962007

Conficker Worm: Help Protect Windows from Conficker
http://technet.microsoft.com/en-us/security/dd452420.aspx

If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.
0
Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

 
LVL 19

Expert Comment

by:compdigit44
ID: 39664289
I have been in a similar situation before, the only way i was able to track down the source of the accont lockout was by unlocking the account and then running network monitor on the DC's filtering for authentication attempts
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39664305
On the user workstation if using Windows 7 did you clear all stored passwords under Credtial Manager
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39664307
I just had a thought are you using Exchange Active Sync if so have the user check the settings on there phone
0
 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39666338
how can i do this ---- running a network monitor on the DC's filtering for authentication attempts? How can i know the source ip that is causing the lockout attempts?

I did check her user settings on the phone and it all seems fine. I also cleared stored passwords under credential manager
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39666912
Yes, you would run Microsoft Network monitor on your DC's then filter for Authentication request. It a pain but the only way I was able to track down an account lockout issue.

Feel free to up load your packet trace if you would like me to help you review it.
0
 
LVL 4

Author Closing Comment

by:o0JoeCool0o
ID: 39848686
excellent
0

Featured Post

Do email signature updates give you a headache?

Constantly trying to correctly format email signatures? Spending all of your time at every user’s desk to make updates? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today!

Join & Write a Comment

Suggested Solutions

Utilizing an array to gracefully append to a list of EmailAddresses
Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now