Solved

User keeps getting locked out

Posted on 2015-01-04
16
345 Views
Last Modified: 2015-01-12
I unlock a users account at the DC, and within a minute or so the account is locked again... I am not sure how this is happening... or what to do to fix it... any ideas?
0
Comment
Question by:Xetroximyn
  • 7
  • 3
  • 2
  • +3
16 Comments
 
LVL 11

Accepted Solution

by:
Wilder1626 earned 84 total points
ID: 40530442
Have you ever looked at: Netwrix Account Lockout Examiner
Tool for Alerting & Troubleshooting of Account Lockouts

Alerts on account lockouts, helps troubleshoot these events, and analyzes their potential causes. The accounts can be unlocked via Netwrix Account Lockout Examiner console or a mobile device.

and it is free.
0
 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 167 total points
ID: 40530445
This happens automaticaly, what I mean is the user don't attemp to log on, also that user is using always the same computer to log on or he can use other systems.

What are the attempt count policies before the user will be locked?

Can you confirm that an infected system is not trying to use that account to log on through dome brute force or trojan.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 83 total points
ID: 40530446
This can get tricky if you have a big AD environment with a lot of DC's. All of the authentication logs are with in the security logs on the DC (that the user is authenticating to) if you have more then one DC it could be in any one of those Security Logs.

Also, because all of the security logs get heavily used on the DC's if the default log file is at the defaults it is typical that the log will overwrite itself once it is full. So this then becomes even harder to catch.

What I would recommend is download AD Audit Plus (free trail) and use that to track where the user is being locked out from. This tool uses Security Logs from all of your DC's and give you a nice detailed Web Interface to see this information. Because even if you find the corrent security log there are usually 4-5 security logs with every authentcation made.

AD Audit Plus

Some of the other things that can lock out a user account are the following...
- Outlook cached password
- Remote computers that were logged in with an old password and the passwords has been recently changed
- Service Account - if a user has used his/her username/password as a serivce account and reset or changed the password this will also cause the account to lock out

AD Audit is not free but you can use the trial but it is definitly worth it for the cost.

Will.
0
 
LVL 37

Assisted Solution

by:Neil Russell
Neil Russell earned 83 total points
ID: 40530452
If the user has a smart phone that picks up email, this will trigger a lockout if the user has changed password but NOT on the phone.
Same for tablets

Also a user who has an OPEN RDP session to a remote PC or server that is still logged in and has not been reset since they rest a password will cause this.

A connection to a remote share with a saved password can also cause this.
0
 

Author Comment

by:Xetroximyn
ID: 40530461
It is a small environment.  Its a SBS2008 <100 users.

We use google for email not exchange.

I installed Netwrix Account Lockout Examiner... not seeing a lot here... it tells me it is locked out... it seems I have to know what computer to tell it to examine... I tell it to examime the users computer... I get this http://screencast.com/t/oEQSgLPZL5X
Im not sure why it fails some of the checks... or if that means that is the lockout problem or that netwrix just can't seem to scan that for some reason.
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40530468
As stated in my first post, download and install (AD Audit Plus). This is easy to setup and it will tell you exactly what machine your account is being locked out on. From there you can go to that machine and see what is actually locking the account out.

I use this in my environment and i would not go without it.

Will.
0
 
LVL 11

Expert Comment

by:Wilder1626
ID: 40530495
The error would occurs when the Account lockout Examiner service account cannot  acces the Remote Desktop Protocol sessions information of a user. It might happen because the service account does not enough local permissions on the machine or the user that is examined has elevated permissions.

you can also give it a try on Will Szymkowski proposal. i will also test it.
0
 

Author Comment

by:Xetroximyn
ID: 40530841
Thanks... So this is what ADAudit Plus shows...
http://screencast.com/t/serBs5N7a1aC

Not sure why anything should be access denied... I am using the domain admin credentials.

Anyway - not sure what this is telling me.  Does this mean anything to you?
0
Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 11

Expert Comment

by:Wilder1626
ID: 40530847
this means the product don't have proper privileges to fetch events from Domain controllers. Product may not be having enough permissions to read information from the servers.
Please have a look at this below link:

Privileges required for Collecting audit data

From what i see, both software ( Account lockout Examiner  and ADAudit Plus)  get the same result. Product may not be having enough permissions to read information from the servers.
0
 

Author Comment

by:Xetroximyn
ID: 40530859
FYI - so I looked at the task mentioned there... actually all the scheduled tasks on the PC.  There were two that use the user, but they were run only when logged in... i.e. they didn't have stored credentials associated... regardless... I deleted them both...

Now it still gets locked out within seconds of me unlocking it and this is what ADAudit Plus shows.

http://screencast.com/t/ZPkQWqsgqnpi

I am at a complete loss for where to go next... any ideas?
0
 

Author Comment

by:Xetroximyn
ID: 40530868
Thanks!  FYI I followed the instructions you gave for permisions.  In all 3 places the "administrators" group already had full privileges.  In the first place I could not edit.  In the second two places I could so I specifically added "administrator" with full rights.  No change in behavior though.

To reiterate .. the credentials I am using is the main domain administrator... I'm not sure why there is anything at all it should not have permissions to do.  

Any ideas?
0
 

Author Comment

by:Xetroximyn
ID: 40530884
FYI - so I went to the PC in question and did all the same stuff... on that PC it only had local accounts with those privilages.  So for dcom and wmi I added the domain admin with rights.  (IT was a bit trickey... I had to unlock the user account and then add the administrator quickly...)

I was never able to add it to the first thing as it would never find the administrator user... though for that first thing it did have the "administrators" group already listed... though it did not specific if it was local or domain.

Anyway - none of this has changed anything.   Both tools for some reason still dont have privileges.  any ideas?
0
 

Author Comment

by:Xetroximyn
ID: 40530886
FYI - I was finally able to add "domainname\administrator" to the list of the local security policy thing on the client PC as well... so I added it everywhere I could on both DC and client PC, and still get the same error.  

Any ideas?
0
 
LVL 12

Assisted Solution

by:David Paris Vicente
David Paris Vicente earned 167 total points
ID: 40533042
The best thing to to is enable audit log and check for the events.

I know some third party tools can help but in this case you are struggle with those tools, so try other way like the audit log.

This is just a suggestion, because without knowing the reason why the user is being locked, will be hard to troublshoot or help.


Regards.
0
 
LVL 3

Assisted Solution

by:Bahloul
Bahloul earned 83 total points
ID: 40535298
in most cases you can fix this from user side :-

Most of users saves their password to access application,resources automatically  and later on he change his password some application didn't receive  this update or such as a printer you have to clear all stored password on the client PC or update the credentials , then check.

manage-your-credentials.png
Bahloul.
0
 

Author Closing Comment

by:Xetroximyn
ID: 40545787
Not sure what was going on... but changing the password one more time seemed to fix it.
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Join & Write a Comment

Synchronize a new Active Directory domain with an existing Office 365 tenant
A procedure for exporting installed hotfix details of remote computers using powershell
This tutorial will walk an individual through locating and launching the BEUtility application and how to execute it on the appropriate database. Log onto the server running the Backup Exec database. In a larger environment, this would generally be …
This tutorial will walk an individual through the steps necessary to configure their installation of BackupExec 2012 to use network shared disk space. Verify that the path to the shared storage is valid and that data can be written to that location:…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now