• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 382
  • Last Modified:

User keeps getting locked out

I unlock a users account at the DC, and within a minute or so the account is locked again... I am not sure how this is happening... or what to do to fix it... any ideas?
0
Xetroximyn
Asked:
Xetroximyn
  • 7
  • 3
  • 2
  • +3
6 Solutions
 
Wilder1626Commented:
Have you ever looked at: Netwrix Account Lockout Examiner
Tool for Alerting & Troubleshooting of Account Lockouts

Alerts on account lockouts, helps troubleshoot these events, and analyzes their potential causes. The accounts can be unlocked via Netwrix Account Lockout Examiner console or a mobile device.

and it is free.
0
 
David Paris VicenteSystems and Comunications  Administrator Commented:
This happens automaticaly, what I mean is the user don't attemp to log on, also that user is using always the same computer to log on or he can use other systems.

What are the attempt count policies before the user will be locked?

Can you confirm that an infected system is not trying to use that account to log on through dome brute force or trojan.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
This can get tricky if you have a big AD environment with a lot of DC's. All of the authentication logs are with in the security logs on the DC (that the user is authenticating to) if you have more then one DC it could be in any one of those Security Logs.

Also, because all of the security logs get heavily used on the DC's if the default log file is at the defaults it is typical that the log will overwrite itself once it is full. So this then becomes even harder to catch.

What I would recommend is download AD Audit Plus (free trail) and use that to track where the user is being locked out from. This tool uses Security Logs from all of your DC's and give you a nice detailed Web Interface to see this information. Because even if you find the corrent security log there are usually 4-5 security logs with every authentcation made.

AD Audit Plus

Some of the other things that can lock out a user account are the following...
- Outlook cached password
- Remote computers that were logged in with an old password and the passwords has been recently changed
- Service Account - if a user has used his/her username/password as a serivce account and reset or changed the password this will also cause the account to lock out

AD Audit is not free but you can use the trial but it is definitly worth it for the cost.

Will.
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
Neil RussellTechnical Development LeadCommented:
If the user has a smart phone that picks up email, this will trigger a lockout if the user has changed password but NOT on the phone.
Same for tablets

Also a user who has an OPEN RDP session to a remote PC or server that is still logged in and has not been reset since they rest a password will cause this.

A connection to a remote share with a saved password can also cause this.
0
 
XetroximynAuthor Commented:
It is a small environment.  Its a SBS2008 <100 users.

We use google for email not exchange.

I installed Netwrix Account Lockout Examiner... not seeing a lot here... it tells me it is locked out... it seems I have to know what computer to tell it to examine... I tell it to examime the users computer... I get this http://screencast.com/t/oEQSgLPZL5X
Im not sure why it fails some of the checks... or if that means that is the lockout problem or that netwrix just can't seem to scan that for some reason.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
As stated in my first post, download and install (AD Audit Plus). This is easy to setup and it will tell you exactly what machine your account is being locked out on. From there you can go to that machine and see what is actually locking the account out.

I use this in my environment and i would not go without it.

Will.
0
 
Wilder1626Commented:
The error would occurs when the Account lockout Examiner service account cannot  acces the Remote Desktop Protocol sessions information of a user. It might happen because the service account does not enough local permissions on the machine or the user that is examined has elevated permissions.

you can also give it a try on Will Szymkowski proposal. i will also test it.
0
 
XetroximynAuthor Commented:
Thanks... So this is what ADAudit Plus shows...
http://screencast.com/t/serBs5N7a1aC

Not sure why anything should be access denied... I am using the domain admin credentials.

Anyway - not sure what this is telling me.  Does this mean anything to you?
0
 
Wilder1626Commented:
this means the product don't have proper privileges to fetch events from Domain controllers. Product may not be having enough permissions to read information from the servers.
Please have a look at this below link:

Privileges required for Collecting audit data

From what i see, both software ( Account lockout Examiner  and ADAudit Plus)  get the same result. Product may not be having enough permissions to read information from the servers.
0
 
XetroximynAuthor Commented:
FYI - so I looked at the task mentioned there... actually all the scheduled tasks on the PC.  There were two that use the user, but they were run only when logged in... i.e. they didn't have stored credentials associated... regardless... I deleted them both...

Now it still gets locked out within seconds of me unlocking it and this is what ADAudit Plus shows.

http://screencast.com/t/ZPkQWqsgqnpi

I am at a complete loss for where to go next... any ideas?
0
 
XetroximynAuthor Commented:
Thanks!  FYI I followed the instructions you gave for permisions.  In all 3 places the "administrators" group already had full privileges.  In the first place I could not edit.  In the second two places I could so I specifically added "administrator" with full rights.  No change in behavior though.

To reiterate .. the credentials I am using is the main domain administrator... I'm not sure why there is anything at all it should not have permissions to do.  

Any ideas?
0
 
XetroximynAuthor Commented:
FYI - so I went to the PC in question and did all the same stuff... on that PC it only had local accounts with those privilages.  So for dcom and wmi I added the domain admin with rights.  (IT was a bit trickey... I had to unlock the user account and then add the administrator quickly...)

I was never able to add it to the first thing as it would never find the administrator user... though for that first thing it did have the "administrators" group already listed... though it did not specific if it was local or domain.

Anyway - none of this has changed anything.   Both tools for some reason still dont have privileges.  any ideas?
0
 
XetroximynAuthor Commented:
FYI - I was finally able to add "domainname\administrator" to the list of the local security policy thing on the client PC as well... so I added it everywhere I could on both DC and client PC, and still get the same error.  

Any ideas?
0
 
David Paris VicenteSystems and Comunications  Administrator Commented:
The best thing to to is enable audit log and check for the events.

I know some third party tools can help but in this case you are struggle with those tools, so try other way like the audit log.

This is just a suggestion, because without knowing the reason why the user is being locked, will be hard to troublshoot or help.


Regards.
0
 
BahloulCommented:
in most cases you can fix this from user side :-

Most of users saves their password to access application,resources automatically  and later on he change his password some application didn't receive  this update or such as a printer you have to clear all stored password on the client PC or update the credentials , then check.

manage-your-credentials.png
Bahloul.
0
 
XetroximynAuthor Commented:
Not sure what was going on... but changing the password one more time seemed to fix it.
0

Featured Post

Never miss a deadline with monday.com

The revolutionary project management tool is here!   Plan visually with a single glance and make sure your projects get done.

  • 7
  • 3
  • 2
  • +3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now