Solved

Account always locks out - Active Directory

Posted on 2013-11-19
12
1,107 Views
Last Modified: 2014-02-10
Hi,

The user's account always locks out every morning. I have to unlock it every morning. The user is entering the right password too.

After I unlock it in the morning  , it stays the same for a while, then again tomorrow the user gets a error message that your account has to be reset in the morning.

Any suggestions?


Server: exchange server / active directory 2010
Client: Outlook 2010

Thanks
0
Comment
Question by:o0JoeCool0o
12 Comments
 
LVL 36

Expert Comment

by:Mahesh
ID: 39660782
Check if any schedule tasks on any servers \ workstation in the security context of user account
Check local DC security event logs for event ID 4740 in case of 2008 \ 2008 R2 OR 644 incase of 2003 server
In the event check caller computer name basicaly
For ex:
http://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644
Once you identify caller computer name check for any schedule task , service or application configured to use user account..
may be due to virus attack..
Its likely user has chnaged password and schedule task \ app remains with old password

Thanks
0
 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39660801
under the security even logs for event 4740... there are few events ... they are not relevant to the user.

The user recently changed her phone, she also received e-mails on her phone too.

how can i check the schedule task / app etc and other things.

I checked the event log under security events... there is nothing relevant to this user.
0
 
LVL 6

Expert Comment

by:Satish Auti
ID: 39660858
using lockoutstatus.exe will give the status on which server the account is locked but will not show the reason why its locks.

may be there is a old password still configured in some application which you configured with this account.

Also check the mapped drives with stored password. If u have stored password then remapped drives with current credentials.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39660892
i am currently using lockoutstatus.exe to check when it locks. we just one server and it shows the one server only.

I spoke with the user... there is no old password configured on any other device.

she's a remote user and does not have mapped drives.
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 39661196
So on the DC are you logging failed authentication attempts? In the security log on the DC simply filter the Security log for fails and find the time the lockout is reported in lockoutstatus. It should give you a source IP address from which the lockout was generated.
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 39661536
There may be many  causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

Virus alert about the Win32/Conficker.B worm:
http://support.microsoft.com/kb/962007 

Conficker Worm: Help Protect Windows from Conficker
http://technet.microsoft.com/en-us/security/dd452420.aspx 

If the multiple user ids are getting locked in AD this could be the sympton of Win32/Conficker worm.On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.If you check the multiple 644 logs you will find the same caller machine.If this is the case unplug the caller machine from the network and do windows patching on the PC and update the virus defination and do full scan.There could be multiple PC in the environment which may be affected by Conficker virus.

If it is spread on multiple PC create a GPO.Refer below MS link symptoms of Conficker virus is given and also how to deploy the policy to block the same.
http://support.microsoft.com/kb/962007

Also make sure that all the PC as well are server are patched and latest verus defination is present all PC.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occuring.This scenario is for only Conficker Virus as I have faced the same issue in my network.

Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from.
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39664289
I have been in a similar situation before, the only way i was able to track down the source of the accont lockout was by unlocking the account and then running network monitor on the DC's filtering for authentication attempts
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39664305
On the user workstation if using Windows 7 did you clear all stored passwords under Credtial Manager
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39664307
I just had a thought are you using Exchange Active Sync if so have the user check the settings on there phone
0
 
LVL 4

Author Comment

by:o0JoeCool0o
ID: 39666338
how can i do this ---- running a network monitor on the DC's filtering for authentication attempts? How can i know the source ip that is causing the lockout attempts?

I did check her user settings on the phone and it all seems fine. I also cleared stored passwords under credential manager
0
 
LVL 19

Expert Comment

by:compdigit44
ID: 39666912
Yes, you would run Microsoft Network monitor on your DC's then filter for Authentication request. It a pain but the only way I was able to track down an account lockout issue.

Feel free to up load your packet trace if you would like me to help you review it.
0
 
LVL 4

Author Closing Comment

by:o0JoeCool0o
ID: 39848686
excellent
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article shows how to deploy dynamic backgrounds to computers depending on the aspect ratio of display
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question