Solved

Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

Posted on 2015-02-19
13
275 Views
Last Modified: 2015-03-03
Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

I have to unlock the account like 3 times per day...
0
Comment
Question by:Harper McDonald
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619761
I would recommend using a product like Lepide Auditor for Active Directory.
http://www.lepide.com/lepideauditor/active-directory.html

You need to make sure that you have you logging enabled.

Free download trial available.


Will.
0
 
LVL 17

Expert Comment

by:pjam
ID: 40619762
Check their keyboard for starters.
Is this a shared computer where someone may be trying to login to their username?
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619771
They are using different keyboards - I am downloading that software, I guess I need to use the 'set' command to see what DC it's hitting for authentication and run the app on that DC...?
0
Free NetCrunch network monitor licenses!

Only on Experts-Exchange: Sign-up for a free-trial and we'll send you your permanent license!

Here is what you get: 30 Nodes | Unlimited Sensors | No Time Restrictions | Absolutely FREE!

Act now. This offer ends July 14, 2017.

 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619772
Harper,
You need to look at your DC logs. Something is clearly trying to access the logs and is using the wrong password.

1st. If you have not changed this password recently, you need to get on this in the event something or someone is trying to brute force the account.

2nd. If you have changed the account pass recently, your threat is probably minimal and you just need to find the offending device that is attempting to login with the wrong data. Your logs should show this.

Worst case scenario, someone modified the audit policies for the DC's and they are not set right, then you will need to configure your auditing policy's. There is a ton of best practice info out there for the Domain Controller audit policy's. Regardless what recommendation google gives you, you want success failure on account login events, account management, and logon events at minimum. I audit much more than that in my production environment, and dump it to an external repository, but you need to set the settings that meet your organizations needs.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40619773
All of the logs are in the Security Event Logon the domain controllers. This is why it gets tricky to figure out where it is locking out. Typical lock outs happen because of the following..
- services assigned to a service account with a bad password
- scheduled tasks with bad password
- mapped network drives
- Outlook Anywhere cached creds
- Local cached creds
- Mibile phones
etc

This account could be locking out on multiple different domain controllers which is why a third party software is key for collecting logs and presenting them in a gui fashion.

Will.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619778
Why would mapped drives be causing this issue?
0
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619800
I do agree that if you have quite a few DC's, you are going to want something to correlate.

I am attaching a reference for eventCombMt utility.
It directly correlates to your problem.

Not the prettiest product, but its free from MS, so you cant beat the price.
It works. and it certainly gives you a place to start!
Microsoft-reference-for-account-lockout-
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619816
Awesome - i'll check it out
0
 
LVL 4

Accepted Solution

by:
Harper McDonald earned 0 total points
ID: 40621119
Wrote a logon script  (net use z:.....etc) instead of mapped drives and used gpedit.msc to make a logon script at startup for all users.  Works like a charm, account doesn't get logged out.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40621156
I've requested that this question be closed as follows:

Accepted answer: 0 points for Harper McDonald's comment #a40621119

for the following reason:

Use gpedit.msc to provide local logon scipts and not use GPO's
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621157
That is great that you found a work-a-round to the issue you had. However, I did mention to check the mapped network drives for places where service accounts can get locked out. Ultimately it was not what you did but helped you to your own solution. Points should be awarded accordingly.

Reference ID: 40619773

Will.
0
 
LVL 4

Author Closing Comment

by:Harper McDonald
ID: 40641447
Will had mentioned mapped drives as a cause for locked out accounts with was an issue for a few accounts so I had to use a local logon script in gpedit for all users local to that VM.

Thank you Will for your comment.

-Harper
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Recovering from what the press called "the largest-ever cyber-attack", IT departments worldwide are discussing ways to defend against this in the future. In this process, many people are looking for immediate actions while, instead, they need to tho…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question