Solved

User Account locks out randomly

Posted on 2014-11-04
8
97 Views
Last Modified: 2015-04-05
Experts!

I'm banging my head against a wall with this one.  I have a user account, that is getting locked out at random.  I have no idea what else to try.  We've verified his password, and its correct.  User ID is correct.  He is not using his login to run services anywhere.  We have checked every server to see if he has an RDP session stuck somewhere, and everything is cleared.  He is not logged into anyone else's machines that we know of.  He uses a tablet for email as well, but the tablet has the correct login info, as does his phone.  We've cleared his desktop of all cached and stored credentials.

We've ran scripts against the entire network to verify his user ID doesn't show up anywhere as active, yet, the account still continues to throw bad passwords at random DC's.  Every minute to 10 minutes, we see another bad hit against a DC, sometimes multiple DC's.  What else can we check that we haven't already done?
0
Comment
Question by:cocosyseng
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
  • 2
  • +1
8 Comments
 
LVL 20

Expert Comment

by:Russ Suter
ID: 40422869
Is he using any kind of VPN or credentials to access another network service? I've seen this happen in those cases.
0
 
LVL 33

Expert Comment

by:it_saige
ID: 40422870

1. Download the Account Lockout Status tools from Microsoft

http://www.microsoft.com/en-gb/download/details.aspx?id=15201

2. Run 'LockoutStatus.exe

Run the .msi to extract the files then run the LockoutStatus.exe tool

3. Choose 'Select Target' from the File Menu

Enter the user's account name as the target.
Add in the Administrator level credentials then hit OK.

4. Check the results

The LockoutStatus tool will show the status of the account on the domain DCs including the DCs which registered the account as locked and, crucially, which DCs recorded a bad password (the 'Bad Pwd Count' column).

The DCs most likely to give the result you need are those reporting one or more bad passwords as listed in the 'Bad Pwd Count' column.

5. Check the Security log on one of the listed DCs

In the Security Log of one of the domain controllers which show the account as locked, look for (the Filter option will help a lot here) Event ID 4771 on Server 2008 or Event ID 529 on Server 2003 containing the target username.

Specifically you need the log entries which show Failure code 0x18.

6. Note down the client IP address

This is the address of the machine that reported, or holds, the bad password.

7. Look for more 4771/529 events

In the Security Log of the client IP address machine look for more 4771/529 events with 0x18 Failure Codes and trace back to the listed Client IP Address.

Essentially you need to repeat steps 5 to 7 until you get to a more likely culprit (most likely a PC or a mobile device).

8. Identify the type of device issuing the bad password

If it's a PC then running PING-a <IP_Address> will give you the host name. At which point you can remind the user about them using this PC recently and how they really ought to log off when they're done.

If PING-a doesn't return a Host Name, lookup the MAC Address for the leased IP address in the DHCP Management.

9. Lookup the MAC Address Vendor

Enter the first three bytes of the MAC address in to http://www.macvendorlookup.com (other, similar web sites are available).

These instructions were taken from: http://community.spiceworks.com/how_to/show/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

-saige-
0
 

Author Comment

by:cocosyseng
ID: 40422909
I've been using this utility to monitor the bad password hits.  I just went through it with my team member, and we're not seeing any of these events in the event viewer for any of the DC's in recent periods.
0
Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

 

Author Comment

by:cocosyseng
ID: 40422911
As far as the VPN goes, no, he is not connected to it...
0
 
LVL 11

Expert Comment

by:Maclean
ID: 40422991
I usually utilize Netwrix Lockout Examiner (No advertisement btw, there might be similar tools)
The free version generally gives enough information regarding the source of the lockouts, and in my experience works better than the MS Lockout tools (Could be that I am not adapt at using the lockout tools to their full functionality of course).

http://www.netwrix.com/account_lockout_examiner.html
0
 
LVL 33

Expert Comment

by:it_saige
ID: 40423014
It could also be that you audit settings are too low to show the above events.  It wouldn't hurt to try the tool Maclean recommended.  If that doesn't work we can visit the audit settings.

-saige-
0
 
LVL 11

Accepted Solution

by:
Maclean earned 500 total points
ID: 40423032
On that note from it saige. Do indeed read the small manual which comes with the netwrix tool if you decide to try it.
It tells you which audit settings are required, and how to set this via GPO. Hope it helps.
0
 

Author Closing Comment

by:cocosyseng
ID: 40707420
We got to the bottom of this.  Cached credentials again...
0

Featured Post

Simple, centralized multimedia control

Watch and learn to see how ATEN provided an easy and effective way for three jointly-owned pubs to control the 60 televisions located across their three venues utilizing the ATEN Control System, Modular Matrix Switch and HDBaseT extenders.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Migrating Roaming Profiles to new server 5 48
DNS Replication 12 71
Restore a DC asap 11 44
Moving on from sbs 2008... 36 85
New Windows 7 Installations take days for Windows-Updates to show up and install. This can easily be fixed. I have finally decided to write an article because this seems to get asked several times a day lately. This Article and the Links apply to…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question