I have user that keeps getting locked out of Active Directory 2008r2

I have a user that we recently required to change her password. She has an IPHONE, IPAD along with her laptop. After several days of making her change she continues to get locked out. Is there a way for me to trace what device is locking her? It sounds like her old password is still trying to connect somewhere, even though she swears she changed it in all the devices she has. I have been onto our DC and tried searching for her user name in the event viewer, but not had success. Where can I search to find out if she is actually being locked out by active directory and if possible which device or IP address the login attempts are coming from

thanks
LVL 1
Thor2923Asked:
Who is Participating?
 
SandeshdubeySenior Server EngineerCommented:
If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.On th DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked.Open the event and check the caller Machine.

Note:If the event id 644/4740 has not occured then this mean that in audit policy user account management policy is not configured.

Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

Paul Bergson's User Account Lockout Troubleshooting
http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html

Download the accountlockout tools and management pack to help resolve the issue.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Auditing failed logon events and account lockouts
http://technet.microsoft.com/en-us/library/cc671957(WS.10).aspx


You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

Using the checked Netlogon.dll to track account lockouts
http://support.microsoft.com/kb/189541

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
0
 
Ram BalachandranCommented:
There are several methods to fix this. Please refer existing solution from EE itself :
>>>>> CLICK HERE
l
0
 
arnoldCommented:
There is an account lockout tool from MS. that will search through the event log on all your DCs.

What is your environment have Exchange, remote access to email, Terminal server? Did the user recently change her password?
VPN
0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

 
VirastaRUC Tech Consultant Commented:
Hi,

Check this I guess this will be of additional help

Account Lockout in Windows 2008 R2

Hope that helps :)
0
 
Thor2923Author Commented:
sorry, I was away for the weekend...yes the user recently changed her password and has at least 3 "I devices" such as an IPHONE and IPAD. she has checked to make sure her password was reset in all of them but still having the issue. I will try to lockout tools suggested
0
 
arnoldCommented:
Have the user make sure she did not save her credentials on her system to access.
Control keymgr.dll
Does your environment include a Terminal server where the user has an old active session?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.