Solved

Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

Posted on 2015-02-19
13
263 Views
Last Modified: 2015-03-03
Active Directory user / service account keeps getting locked out, does anybody have any suggestions as to why?

I have to unlock the account like 3 times per day...
0
Comment
Question by:Harper McDonald
  • 6
  • 3
  • 2
  • +1
13 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40619761
I would recommend using a product like Lepide Auditor for Active Directory.
http://www.lepide.com/lepideauditor/active-directory.html

You need to make sure that you have you logging enabled.

Free download trial available.


Will.
0
 
LVL 17

Expert Comment

by:pjam
ID: 40619762
Check their keyboard for starters.
Is this a shared computer where someone may be trying to login to their username?
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619771
They are using different keyboards - I am downloading that software, I guess I need to use the 'set' command to see what DC it's hitting for authentication and run the app on that DC...?
0
 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619772
Harper,
You need to look at your DC logs. Something is clearly trying to access the logs and is using the wrong password.

1st. If you have not changed this password recently, you need to get on this in the event something or someone is trying to brute force the account.

2nd. If you have changed the account pass recently, your threat is probably minimal and you just need to find the offending device that is attempting to login with the wrong data. Your logs should show this.

Worst case scenario, someone modified the audit policies for the DC's and they are not set right, then you will need to configure your auditing policy's. There is a ton of best practice info out there for the Domain Controller audit policy's. Regardless what recommendation google gives you, you want success failure on account login events, account management, and logon events at minimum. I audit much more than that in my production environment, and dump it to an external repository, but you need to set the settings that meet your organizations needs.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 500 total points
ID: 40619773
All of the logs are in the Security Event Logon the domain controllers. This is why it gets tricky to figure out where it is locking out. Typical lock outs happen because of the following..
- services assigned to a service account with a bad password
- scheduled tasks with bad password
- mapped network drives
- Outlook Anywhere cached creds
- Local cached creds
- Mibile phones
etc

This account could be locking out on multiple different domain controllers which is why a third party software is key for collecting logs and presenting them in a gui fashion.

Will.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619778
Why would mapped drives be causing this issue?
0
VMware Disaster Recovery and Data Protection

In this expert guide, you’ll learn about the components of a Modern Data Center. You will use cases for the value-added capabilities of Veeam®, including combining backup and replication for VMware disaster recovery and using replication for data center migration.

 
LVL 3

Expert Comment

by:Matthew Borrusso
ID: 40619800
I do agree that if you have quite a few DC's, you are going to want something to correlate.

I am attaching a reference for eventCombMt utility.
It directly correlates to your problem.

Not the prettiest product, but its free from MS, so you cant beat the price.
It works. and it certainly gives you a place to start!
Microsoft-reference-for-account-lockout-
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40619816
Awesome - i'll check it out
0
 
LVL 4

Accepted Solution

by:
Harper McDonald earned 0 total points
ID: 40621119
Wrote a logon script  (net use z:.....etc) instead of mapped drives and used gpedit.msc to make a logon script at startup for all users.  Works like a charm, account doesn't get logged out.
0
 
LVL 4

Author Comment

by:Harper McDonald
ID: 40621156
I've requested that this question be closed as follows:

Accepted answer: 0 points for Harper McDonald's comment #a40621119

for the following reason:

Use gpedit.msc to provide local logon scipts and not use GPO's
0
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40621157
That is great that you found a work-a-round to the issue you had. However, I did mention to check the mapped network drives for places where service accounts can get locked out. Ultimately it was not what you did but helped you to your own solution. Points should be awarded accordingly.

Reference ID: 40619773

Will.
0
 
LVL 4

Author Closing Comment

by:Harper McDonald
ID: 40641447
Will had mentioned mapped drives as a cause for locked out accounts with was an issue for a few accounts so I had to use a local logon script in gpedit for all users local to that VM.

Thank you Will for your comment.

-Harper
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Encryption for Business Encryption (https://en.wikipedia.org/wiki/Encryption) ensures the safety of our data when sending emails. In most cases, to read an encrypted email you must enter a secret key that will enable you to decrypt the email. T…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

910 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now