Account Lockout

I have one user that is locked out of AD.  He is an existing user that has had this account for a long time.  If I unlock his AD account, it is relocked within a minute or two.  It appears Exchange is causing it to lock.  I have turned off his computer, disconnected his iPhone and iPad from Exchange.  I turned off OWA and active-sync and yet the problem continues.  I cannot find any errors in the DC events but the following is in the Exchange security event logs:

An account failed to log on.

                Security ID:                            SYSTEM
                Account Name:                     SAA-EXG$
                Account Domain:                 MyDomain
                Logon ID:                               0x3e7

Logon Type:                                          3

Account For Which Logon Failed:
                Security ID:                            NULL SID
                Account Name:                     User's Name
                Account Domain:                

Failure Information:
                Failure Reason:                      Unknown user name or bad password.
                Status:                                    0xc000006d
                Sub Status:                             0xc000006a

Process Information:
                Caller Process ID:  0xafc
                Caller Process Name:            I:\Program Files\Microsoft\Exchange Server\Bin\EdgeTransport.exe

Network Information:
                Workstation Name:              EXCHANGE SERVER NAME
                Source Network Address:    -
                Source Port:                           -

Detailed Authentication Information:
                Logon Process:                     Advapi  
                Authentication Package:     MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
                Transited Services:                -
                Package Name (NTLM only):              -
                Key Length:                           0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
                - Transited services indicate which intermediate services have participated in this logon request.
                - Package name indicates which sub-protocol was used among the NTLM protocols.
                - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.

What am I missing?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

AmitIT ArchitectCommented:
Use ADlock tool from MS and find out the source for the lockout.
Amit KumarCommented:
Can you check any exchange service has set to run with user's account on SAA-EXG. by Default it should be Local system.
tmartin40Author Commented:
I ran that and it didn't tell me anything
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

tmartin40Author Commented:
Checked all services.  They're running as local system
Have you tried KB276541?
Scott CSenior EngineerCommented:
@awed1....I doubt that KB applies in this case.

The KB you posted applies to:
Microsoft Windows 2000 Server
Microsoft Windows 98 Standard Edition
Microsoft Windows NT Server 4.0 Standard Edition
Allan MartinsICT TechnicianCommented:
There might be another source causing the lock. First thing to check is when the user last changed his password, if it matches with the date when this problem started, bang! you got it. Probably he has his credentials saved someplace else... check if is there any other computer logged with his account, or even, saved on his computer. When we face similar problems, one of the main changes we have to do is to prompt the user to update the password under the Control Panel>Credentials Manager (also applied for user with saved credentials for Outlook). In case you got users using their mobiles for email sync, make sure to ask user to update his credentials on his device.
AmitIT ArchitectCommented:
If you cannot find the account lockout source. Last option is to rename the sam name. just goto dsa.msc>user properties>account tab and now append any number or alphabet at the end. This will stop locking, however user need to use new samname to login. It won't break anything or configure anything new.
Ha! Sorry about that.
tmartin40Author Commented:
I'm not sure how to address this.  After trying everything I could think of (which I listed above) and following the guidance that some of you posted, it still did not work.  I took a 15 minute break to eat my lunch, came back, and the account was no longer locked out.  He's been online since just fine.  It is great that the problem is gone but it bothers me that I don't know what was causing it.

I have 3 domain controllers and noticed that 2 of the 3 showed the account to be unlocked.  The remaining DC was what appeared to be locking it out.  I know it is far fetched but maybe it was a sync issue with that DC.  I have no idea, I'm just throwing out random guesses now.
David Johnson, CD, MVPOwnerCommented:
replication issues will cause that after a password change.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
I have this experience it happen for activesync user. When we checked the IIS log on Exchange CAS server, found that there is activesync request from devices that previously being use the device. User sold that device.

We have to re-create this AD account.
tmartin40Author Commented:
All good suggestions but I'm not sure which was the solution
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.