Why is user being Locked

We have a user that is getting locked out of his account but we are not sure why\how. This happens all too often. Does anybody know of any utilities\scripts that we can use to find out exactly where a user is getting locked out from, other than combing through the DC Logs?
Rammy CharlesSales EngineerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Watch the user log in and log out. You should be able to see very quickly if something is going wrong. Many users like to work with caps lock on and then they don't realize it's on when they try to log in.

Also watch the event log on failed log in attempts. Does it look like it's user driven? Meaning the timing of it. Could a user really login and fail 300 times in a row or 3 times in 3 seconds?

Look for the anomaly in the user or in the data. But if the lockouts are not coming from the user then all you have is what's in the event logs. If you rule user error out then my guess would be that someone might be using Remote Desktop to connect and they are picking the wrong machine or it's malicious.

Use a key logger on the users box to isolate if it's the user. Once you rule out user (and a simple key logger will) then you'll know it's a security issue.
Rammy CharlesSales EngineerAuthor Commented:
It is not the user as once we unlock his account he logs in ok. We want to avoid combing through the event log.
Rob GMicrosoft Systems EngineerCommented:
Does the user have a cell phone?
If he/she does, i bet that the cell phone is setup to corp email, and the password was recently changed..
Or they have a computer at home, or some other device.. tablet, where the old password is being used..

Happens here all the time..
I just unlock it twice..
After the second time, the end user has to drive home and turn off there computers and stuff before i will bother..
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Joshua GrantomSenior Systems AdministratorCommented:
This powershell script will look for Lockout Event ID's from your DCs. You can find out what device is causing the lockout.

It is usually a mobile device with ActiveSync or if you use Radius for VPN or Wifi, I would make sure he looks at everything.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Rammy CharlesSales EngineerAuthor Commented:
Thanks. We did look at the mobile device and had him re-insert his pw. Still did not resolve the issue.
Joshua GrantomSenior Systems AdministratorCommented:
It could be a scheduled task also. Once you run the script it should tell you the computer it is locking out from.
Rammy CharlesSales EngineerAuthor Commented:
It is telling me that it cannot run because PS is not enabled on this computer
Joshua GrantomSenior Systems AdministratorCommented:
I would download WMF 4.0 and install it. Once you get to know what you can do with Powershell, you will use it all the time.

Or is it an error for Execution Policy?
Check the users local machine and see if there is any old cached credentials in his credential manager. Might be worth looking into something like AD Audit as that normally tells us the IP the authentication attempts are coming from therefore narrowing down the issue. Like the above stated it could be the users phone connecting to the corporate wireless/corporate email/could be logged onto another machine with their old password/scheduled task running with their old password/maybe even access to a shared mailbox or calendar

Have the user stated when the lockouts specifically happen?
Tony MassaCommented:
If you don't have security logging enabled on the desktop (if you know that's where the lockouts are originating, do it via local security policy (GPEDIT.msc).

Use LockOutStatus tool from Microsoft.  It will direct you to the domain controller that is locking out the account.  Once you have the domain controller that is locking out his account, you can simply filter (or search) the security log for the bad password attempts.  This will give you the IP of all of the computer that is sending the bad passwords to the domain controller.

Then you just enable security logging, if it's not on already.  The local security event log will give you the process ID of the application sending bad passwords.  This may, or may not, be helpful with applications that are started/stopped.  If it's a windows service or taskhost.exe, you'll know where to look for a "saved password".

Make sure to check the "Credential Manager" in the Control Panel to see if the user has saved his username/password combo for a network resource.  Then you would simply have the user change or remove the saved credential.
One time I had to track down a problem like this using network monitor on my DC then crawl through the trace
What actually resolved this?
User had a service setup to run under their user ID
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.