AD accounts keeps on getting locked out

I have a user that everytime she logs in through RDP into her work desktop, it locks her out.
So her work PC is running win 7 Pro.  If I log into it, it works fine, it doesn't lock the account using the user's account.

The user is on vacation and has a laptop where she logged into that laptop with her user account.
After she connects via VPN, and then tries to RDP into her work desktop, within 30 seconds or so, it locks the user account.

I'm scratching my brain trying to figure out how to solve this issue.

Here's what I have done so far.
1. I have reset her password to a different password
2. I made sure she does not have an email account on her smartphone or any other device
3. I ran gpresult >c:file.txt   (and I didn't see anything wrong that I can tell)
4. I used netwrix account lockout exminar, which helped a bit, it found scheduled tasks that could have been locking her out, so I deleted all the scheduled tasks.  Besides that, everything else was fine.
5. I found under the user's account, under the attribute editor, for the attribute "lockout Time" was a huge number, "130886540111017723".   I looked at a few other accounts, and the value was 0, so I changed it to 0, but after the account got locked again, it changed the zero to the same number.

I'm not sure what else to do, any assistance would be greatly appreciated.
LockoutTime.png
DanNetwork EngineerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
Doesn't have any saved passwords in the credential manager does she?  You can open up the credential manager on the system to verify there are no saved passwords on the system.  This seems to be the most common cause associated with account lockouts.  Check both systems and see if there are any

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
DanNetwork EngineerAuthor Commented:
Thanks, for the comment, I just checked, and there's nothing, under windows credentials, certificate-based credentials and generic credentials, there are no credentials.
DeoraliCommented:
Check for event ID 4625 on your DCs. The Network Information fields indicate where a remote logon request originated including the source IP address. Workstation name is not always available and may be left blank in some cases.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

adamdalgCommented:
There are two very common reasons at my place of employment for this issue. One is two computers are using the same computer name. Two is that the user has multiple devices using the same wifi connection.
DanNetwork EngineerAuthor Commented:
I found this warning, so I'm not sure if this has anything to do with it, but never seen this before:
During the past 4.23 hours there have been 346 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

Looks like this error shows up every 4 and half hours or so.

I did find this in one of my DC's, but it doesn't tell me why it happened.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/6/2015 6:17:20 PM
Event ID:      4625
Task Category: Account Lockout
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DC2.domain.org
Description:
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            DC2$
      Account Domain:            domain
      Logon ID:            0x3E7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            userA
      Account Domain:            domain

Failure Information:
      Failure Reason:            Account locked out.
      Status:                  0xC0000234
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x234
      Caller Process Name:      C:\Windows\System32\lsass.exe

Network Information:
      Workstation Name:      DC2
      Source Network Address:      192.168.100.3
      Source Port:            31882

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12546</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-10-07T01:17:20.293676700Z" />
    <EventRecordID>131132669</EventRecordID>
    <Correlation />
    <Execution ProcessID="564" ThreadID="3420" />
    <Channel>Security</Channel>
    <Computer>DC2.domain.org</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">DC2$</Data>
    <Data Name="SubjectDomainName">domain</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">userA</Data>
    <Data Name="TargetDomainName">domain</Data>
    <Data Name="Status">0xc0000234</Data>
    <Data Name="FailureReason">%%2307</Data>
    <Data Name="SubStatus">0x0</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="WorkstationName">DC2</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x234</Data>
    <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
    <Data Name="IpAddress">192.168.100.3</Data>
    <Data Name="IpPort">31882</Data>
  </EventData>
</Event>
DeoraliCommented:
Network Information:
           Source Network Address:      192.168.100.3

Account login failure is coming from IP 192.168.100.3. Check this machine . Either log off this user from this machine or shut it down temporarily and see if account still gets locked out.
DanNetwork EngineerAuthor Commented:
That's not a PC, it's an internal network device.
DanNetwork EngineerAuthor Commented:
I did find a duplicate entry for the VPN, where there were two rules, so I thought that was the problem, but deleted one of them, and the user is still being locked out, so that doesn't seem to be the issue.
DeoraliCommented:
Is the user on vacation using the domain joined or workgroup laptop to connect to VPN? Can the user access the other resources on your network when connected to VPN?
DanNetwork EngineerAuthor Commented:
The laptop is on the domain, I created her user account on the laptop, then shes uses VPN, and then RDP to access her PC. After she connects to VPN or RDP, within 30 seconds, it just locked her out.
DanNetwork EngineerAuthor Commented:
I think I found the problem, So the desktop PC on the domain has a wifi card, and that's connected to the internet, not sure on which network, but the PC is also hard wired on the network.  Some how it was creating a loop and locking out the account, it's been about 7 minutes now, and after disabling her wifi card, she logged in to VPN, and then RDP and so far she has not been locked out yet.  

This is great, I spent hours on this issue.   Thank you so much for your input and assistance.!!!
DanNetwork EngineerAuthor Commented:
I've requested that this question be closed as follows:

Accepted answer: 250 points for NRhode's comment #a41028946
Assisted answer: 250 points for Deorali's comment #a41029020
Assisted answer: 0 points for afacts's comment #a41029205

for the following reason:

Thanks guys again for your assistance.
DanNetwork EngineerAuthor Commented:
That didn't do the trick.  The account is still locking out, but I noticed that it gets locked as soon as the user logs into VPN.
DanNetwork EngineerAuthor Commented:
That wasn't the problem as I previously thought.
DanNetwork EngineerAuthor Commented:
That wasn't the problem I previously thought
DeoraliCommented:
You said that you reset the password for the user.  Is the user using the new password to login to the laptop ?  I am curious if  new password is properly synced up with laptop.
DanNetwork EngineerAuthor Commented:
I just unlocked the user, if I reset the password, I made it the same as the old one.  I can't change the password because the user is offsite and if I change it, it won't work until the the laptop is back on the lan.
DeoraliCommented:
There is a way to sync up the new password while user is away and connected via VPN.  Probably password is not synced up properly.

Tell the user to do the following :

1. Log in to the computer with the existing password.

2. Fire up the VPN software  and make sure the user is connected properly.

3. Once logged in, user should press CTRL+ALT+DEL and choose lock this computer option and not Log out or sign out.

4. Press CTRL+ALT+DEL To unlock the computer. In the password box, let the user type the new or existing correct domain password and the credentials will synced up with the network.

5:  Once everything is working fine, have the user reboot the laptop and connect to VPN .
DanNetwork EngineerAuthor Commented:
I will have her try it.
DanNetwork EngineerAuthor Commented:
That didn't help, still gets locked out
DanNetwork EngineerAuthor Commented:
I figured out the problem.  So the user account on the remote laptop was userA.  That users was trying to log into her domain account, which is also userA.  So somehow, AD didn't like that, so it was always locking the user out.

I created a new user called userB on the laptop, a local user, not a domain user, and then unlocked the domain account, and it's works fine now. Just in case anyone else has this issue.
DanNetwork EngineerAuthor Commented:
Thanks guys for your input, really appreciated it.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.