Solved

AD account locking for one user

Posted on 2014-07-20
8
471 Views
Last Modified: 2014-08-02
Hi,

I have windows 2008 server with exchange 2010. One user account is getting locked continuously. If I change the password and try to login to OWA/ Outlook, it says password incorrect. If I check the account, it says the account is locked. Tried several times to unlock, but keeps on locking. The user is left the company and there is no system in his name.

How to find out from where the login request coming from, so that we can track and disable that request.
Thanks
0
Comment
Question by:kolathaya123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
8 Comments
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40207372
Here are some suggestions:

1.  Turn off all mobile devices the user might be using (mail configured will disable the account)
2.  Check user's PC to ensure there are no mapped drives using saved credentials
3.  Go to Control Panel, Credential Manager and delete save credentials
4.  Reboot, reset account and try again

Below is a good read:

http://social.technet.microsoft.com/Forums/windows/en-US/ced8eab6-87e2-4d20-9d18-7aaf5e9713a3/windows-7-clear-cached-credentials?forum=w7itpronetworking
0
 

Author Comment

by:kolathaya123
ID: 40208245
We found the system and now the system is off. and the account is not locking out
But still unable to login to owa/outlook. Getting msg password is wrong. We tried disabling and enabling the ad account, but still the same issue. Something strange. Only for this user
0
 
LVL 2

Expert Comment

by:andrewcamary
ID: 40208282
Please take a look into Account Lockout.Status tool available from Microsoft that can be a good approach to troubleshoot account lockout issue in your environment. It helps to diagnosis the root-cause and provide appropriate solution to resolve the issue in quick attempt. To gather more info, please checkout this : http://social.technet.microsoft.com/wiki/contents/articles/4585.account-locked-out-troubleshooting-eventcombmt.aspx
0
Back Up Your Microsoft Windows Server®

Back up all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

 

Author Comment

by:kolathaya123
ID: 40208294
as per my above post, now the account is not locking out. We checked this using the tool, But still unable to login to OWA/Outlook etc
0
 
LVL 25

Expert Comment

by:Mohammed Khawaja
ID: 40208428
Check AD user properties and see what password age is set to.  Have you tried IISRESET on the web server.
0
 

Author Comment

by:kolathaya123
ID: 40208728
For all other users there is no issue. Only for one user the issue
0
 
LVL 24

Accepted Solution

by:
Sandeshdubey earned 500 total points
ID: 40210759
On thee DC check the security log event id 644(Win2003) or 4740(Win2k8) will occur if the account is getting locked. Open the event and check the caller Machine.If the event id 644/4740 has not occurred then this mean that in audit policy user account management policy is not configured.Configure the same and check if the events are occurring.

There may be many causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!

Troubleshooting account lockout the Microsoft PSS way:
http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

In Exchange management Shell run this:
Get-ActiveSyncDeviceStatistics -Mailbox username
This is going to return all the devices the user is using right now and past devices which have established connection with Exchange at least once.

Hope this helps
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
Here's a look at newsworthy articles and community happenings during the last month.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

632 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question