Link to home
Start Free TrialLog in
Avatar of Dan
DanFlag for United States of America

asked on

AD accounts keeps on getting locked out

I have a user that everytime she logs in through RDP into her work desktop, it locks her out.
So her work PC is running win 7 Pro.  If I log into it, it works fine, it doesn't lock the account using the user's account.

The user is on vacation and has a laptop where she logged into that laptop with her user account.
After she connects via VPN, and then tries to RDP into her work desktop, within 30 seconds or so, it locks the user account.

I'm scratching my brain trying to figure out how to solve this issue.

Here's what I have done so far.
1. I have reset her password to a different password
2. I made sure she does not have an email account on her smartphone or any other device
3. I ran gpresult >c:file.txt   (and I didn't see anything wrong that I can tell)
4. I used netwrix account lockout exminar, which helped a bit, it found scheduled tasks that could have been locking her out, so I deleted all the scheduled tasks.  Besides that, everything else was fine.
5. I found under the user's account, under the attribute editor, for the attribute "lockout Time" was a huge number, "130886540111017723".   I looked at a few other accounts, and the value was 0, so I changed it to 0, but after the account got locked again, it changed the zero to the same number.

I'm not sure what else to do, any assistance would be greatly appreciated.
LockoutTime.png
ASKER CERTIFIED SOLUTION
Avatar of Nick Rhode
Nick Rhode
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dan

ASKER

Thanks, for the comment, I just checked, and there's nothing, under windows credentials, certificate-based credentials and generic credentials, there are no credentials.
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Dan

ASKER

I found this warning, so I'm not sure if this has anything to do with it, but never seen this before:
During the past 4.23 hours there have been 346 connections to this Domain Controller from client machines whose IP addresses don't map to any of the existing sites in the enterprise. Those clients, therefore, have undefined sites and may connect to any Domain Controller including those that are in far distant locations from the clients. A client's site is determined by the mapping of its subnet to one of the existing sites. To move the above clients to one of the sites, please consider creating subnet object(s) covering the above IP addresses with mapping to one of the existing sites.  The names and IP addresses of the clients in question have been logged on this computer in the following log file '%SystemRoot%\debug\netlogon.log' and, potentially, in the log file '%SystemRoot%\debug\netlogon.bak' created if the former log becomes full. The log(s) may contain additional unrelated debugging information. To filter out the needed information, please search for lines which contain text 'NO_CLIENT_SITE:'. The first word after this string is the client name and the second word is the client IP address. The maximum size of the log(s) is controlled by the following registry DWORD value 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\LogFileMaxSize'; the default is 20000000 bytes.  The current maximum size is 20000000 bytes.  To set a different maximum size, create the above registry value and set the desired maximum size in bytes.

Looks like this error shows up every 4 and half hours or so.

I did find this in one of my DC's, but it doesn't tell me why it happened.

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          10/6/2015 6:17:20 PM
Event ID:      4625
Task Category: Account Lockout
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      DC2.domain.org
Description:
An account failed to log on.

Subject:
      Security ID:            SYSTEM
      Account Name:            DC2$
      Account Domain:            domain
      Logon ID:            0x3E7

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            userA
      Account Domain:            domain

Failure Information:
      Failure Reason:            Account locked out.
      Status:                  0xC0000234
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x234
      Caller Process Name:      C:\Windows\System32\lsass.exe

Network Information:
      Workstation Name:      DC2
      Source Network Address:      192.168.100.3
      Source Port:            31882

Detailed Authentication Information:
      Logon Process:            Advapi  
      Authentication Package:      MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
      Transited Services:      -
      Package Name (NTLM only):      -
      Key Length:            0

This event is generated when a logon request fails. It is generated on the computer where access was attempted.

The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

The Process Information fields indicate which account and process on the system requested the logon.

The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

The authentication information fields provide detailed information about this specific logon request.
      - Transited services indicate which intermediate services have participated in this logon request.
      - Package name indicates which sub-protocol was used among the NTLM protocols.
      - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>4625</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12546</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="2015-10-07T01:17:20.293676700Z" />
    <EventRecordID>131132669</EventRecordID>
    <Correlation />
    <Execution ProcessID="564" ThreadID="3420" />
    <Channel>Security</Channel>
    <Computer>DC2.domain.org</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-5-18</Data>
    <Data Name="SubjectUserName">DC2$</Data>
    <Data Name="SubjectDomainName">domain</Data>
    <Data Name="SubjectLogonId">0x3e7</Data>
    <Data Name="TargetUserSid">S-1-0-0</Data>
    <Data Name="TargetUserName">userA</Data>
    <Data Name="TargetDomainName">domain</Data>
    <Data Name="Status">0xc0000234</Data>
    <Data Name="FailureReason">%%2307</Data>
    <Data Name="SubStatus">0x0</Data>
    <Data Name="LogonType">3</Data>
    <Data Name="LogonProcessName">Advapi  </Data>
    <Data Name="AuthenticationPackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
    <Data Name="WorkstationName">DC2</Data>
    <Data Name="TransmittedServices">-</Data>
    <Data Name="LmPackageName">-</Data>
    <Data Name="KeyLength">0</Data>
    <Data Name="ProcessId">0x234</Data>
    <Data Name="ProcessName">C:\Windows\System32\lsass.exe</Data>
    <Data Name="IpAddress">192.168.100.3</Data>
    <Data Name="IpPort">31882</Data>
  </EventData>
</Event>
Avatar of Deorali
Deorali

Network Information:
           Source Network Address:      192.168.100.3

Account login failure is coming from IP 192.168.100.3. Check this machine . Either log off this user from this machine or shut it down temporarily and see if account still gets locked out.
Avatar of Dan

ASKER

That's not a PC, it's an internal network device.
Avatar of Dan

ASKER

I did find a duplicate entry for the VPN, where there were two rules, so I thought that was the problem, but deleted one of them, and the user is still being locked out, so that doesn't seem to be the issue.
Is the user on vacation using the domain joined or workgroup laptop to connect to VPN? Can the user access the other resources on your network when connected to VPN?
Avatar of Dan

ASKER

The laptop is on the domain, I created her user account on the laptop, then shes uses VPN, and then RDP to access her PC. After she connects to VPN or RDP, within 30 seconds, it just locked her out.
Avatar of Dan

ASKER

I think I found the problem, So the desktop PC on the domain has a wifi card, and that's connected to the internet, not sure on which network, but the PC is also hard wired on the network.  Some how it was creating a loop and locking out the account, it's been about 7 minutes now, and after disabling her wifi card, she logged in to VPN, and then RDP and so far she has not been locked out yet.  

This is great, I spent hours on this issue.   Thank you so much for your input and assistance.!!!
Avatar of Dan

ASKER

I've requested that this question be closed as follows:

Accepted answer: 250 points for NRhode's comment #a41028946
Assisted answer: 250 points for Deorali's comment #a41029020
Assisted answer: 0 points for afacts's comment #a41029205

for the following reason:

Thanks guys again for your assistance.
Avatar of Dan

ASKER

That didn't do the trick.  The account is still locking out, but I noticed that it gets locked as soon as the user logs into VPN.
Avatar of Dan

ASKER

That wasn't the problem as I previously thought.
Avatar of Dan

ASKER

That wasn't the problem I previously thought
You said that you reset the password for the user.  Is the user using the new password to login to the laptop ?  I am curious if  new password is properly synced up with laptop.
Avatar of Dan

ASKER

I just unlocked the user, if I reset the password, I made it the same as the old one.  I can't change the password because the user is offsite and if I change it, it won't work until the the laptop is back on the lan.
There is a way to sync up the new password while user is away and connected via VPN.  Probably password is not synced up properly.

Tell the user to do the following :

1. Log in to the computer with the existing password.

2. Fire up the VPN software  and make sure the user is connected properly.

3. Once logged in, user should press CTRL+ALT+DEL and choose lock this computer option and not Log out or sign out.

4. Press CTRL+ALT+DEL To unlock the computer. In the password box, let the user type the new or existing correct domain password and the credentials will synced up with the network.

5:  Once everything is working fine, have the user reboot the laptop and connect to VPN .
Avatar of Dan

ASKER

I will have her try it.
Avatar of Dan

ASKER

That didn't help, still gets locked out
Avatar of Dan

ASKER

I figured out the problem.  So the user account on the remote laptop was userA.  That users was trying to log into her domain account, which is also userA.  So somehow, AD didn't like that, so it was always locking the user out.

I created a new user called userB on the laptop, a local user, not a domain user, and then unlocked the domain account, and it's works fine now. Just in case anyone else has this issue.
Avatar of Dan

ASKER

Thanks guys for your input, really appreciated it.