Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

I have to unlock the account like 3 times per day...
LVL 4
Harper McDonaldAsked:
Who is Participating?
 
Harper McDonaldConnect With a Mentor Author Commented:
Wrote a logon script  (net use z:.....etc) instead of mapped drives and used gpedit.msc to make a logon script at startup for all users.  Works like a charm, account doesn't get logged out.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
I would recommend using a product like Lepide Auditor for Active Directory.
http://www.lepide.com/lepideauditor/active-directory.html

You need to make sure that you have you logging enabled.

Free download trial available.


Will.
0
 
pjamCommented:
Check their keyboard for starters.
Is this a shared computer where someone may be trying to login to their username?
0
The new generation of project management tools

With monday.com’s project management tool, you can see what everyone on your team is working in a single glance. Its intuitive dashboards are customizable, so you can create systems that work for you.

 
Harper McDonaldAuthor Commented:
They are using different keyboards - I am downloading that software, I guess I need to use the 'set' command to see what DC it's hitting for authentication and run the app on that DC...?
0
 
Matthew BorrussoCommented:
Harper,
You need to look at your DC logs. Something is clearly trying to access the logs and is using the wrong password.

1st. If you have not changed this password recently, you need to get on this in the event something or someone is trying to brute force the account.

2nd. If you have changed the account pass recently, your threat is probably minimal and you just need to find the offending device that is attempting to login with the wrong data. Your logs should show this.

Worst case scenario, someone modified the audit policies for the DC's and they are not set right, then you will need to configure your auditing policy's. There is a ton of best practice info out there for the Domain Controller audit policy's. Regardless what recommendation google gives you, you want success failure on account login events, account management, and logon events at minimum. I audit much more than that in my production environment, and dump it to an external repository, but you need to set the settings that meet your organizations needs.
0
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
All of the logs are in the Security Event Logon the domain controllers. This is why it gets tricky to figure out where it is locking out. Typical lock outs happen because of the following..
- services assigned to a service account with a bad password
- scheduled tasks with bad password
- mapped network drives
- Outlook Anywhere cached creds
- Local cached creds
- Mibile phones
etc

This account could be locking out on multiple different domain controllers which is why a third party software is key for collecting logs and presenting them in a gui fashion.

Will.
0
 
Harper McDonaldAuthor Commented:
Why would mapped drives be causing this issue?
0
 
Matthew BorrussoCommented:
I do agree that if you have quite a few DC's, you are going to want something to correlate.

I am attaching a reference for eventCombMt utility.
It directly correlates to your problem.

Not the prettiest product, but its free from MS, so you cant beat the price.
It works. and it certainly gives you a place to start!
Microsoft-reference-for-account-lockout-
0
 
Harper McDonaldAuthor Commented:
Awesome - i'll check it out
0
 
Harper McDonaldAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 0 points for Harper McDonald's comment #a40621119

for the following reason:

Use gpedit.msc to provide local logon scipts and not use GPO's
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
That is great that you found a work-a-round to the issue you had. However, I did mention to check the mapped network drives for places where service accounts can get locked out. Ultimately it was not what you did but helped you to your own solution. Points should be awarded accordingly.

Reference ID: 40619773

Will.
0
 
Harper McDonaldAuthor Commented:
Will had mentioned mapped drives as a cause for locked out accounts with was an issue for a few accounts so I had to use a local logon script in gpedit for all users local to that VM.

Thank you Will for your comment.

-Harper
0
All Courses

From novice to tech pro — start learning today.