AD 2003 - User AD account continues to get locked.

Hi Guys,

A user account continues to get locked. She changed her password recently but cant pin point what is causing the issue.
I have switched off her mobile, laptop and iPad but continues to lock.

The email notifications say that it comes from our F5 which load balances two CAS/HUB servers for exchange 2010.

this is a copy paste of the email:

Alert: ACCOUNT LOCKED
Source: DC.domain.com.au
Path:
Last modified by: System
Last modified time: 13/10/2015 11:53:12 AM Alert description: Event Description: User Account Locked Out:

      Target Account Name:       USERNAME

      Target Account ID:      DOMAIN\USERNAME

      Caller Machine Name:       F5 DNS name

      Caller User Name:      Domain Controller

      Caller Domain:      DOMAIN

      Caller Logon ID:      (0x0,0x3E7)

Thanks guys.
out2getyouAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sekar ChinnakannuStaff EngineerCommented:
Try to get the MAC details for the device and fix the issue. Most of time it may be a wireless devices where cause the issue.
out2getyouAuthor Commented:
Hi,

How do I get the MAC address?
Sekar ChinnakannuStaff EngineerCommented:
Wireless team should have the details based on user id.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

WatawCommented:
Probably the user have login on other workstations and changed the password. Make sure he/she not login on other workstations.
Ganesamoorthy STech LeadCommented:
Check the Caller Machine Name from lockout event on Domain Controller and check the security and others logs why it uses the old password

Enable netlogon logs on Caller Machine and see logs @ lockout date and time to find the correct system causing the lockout

http://www.windowstricks.in/2009/07/account-lockout.html
James NewportCommented:
Is this just a PC network or is there any mac's on the network? Could be an old cached password, especially if you have a mac on network with the password stored in keychain
out2getyouAuthor Commented:
Hi Guys,

The caller machine name is pointing to the F5 IP / DNS name where it load balances both CAS/HUB servers. The exact mac address of the device that is locking it is what I need as I have checked her mobile, laptop, iPad. Not sure what else can be the cause. There are no Mac's on the network and she uses her home machine for web mail but it got whipped over the weekend so there shouldnt be anything on the home machine trying to authenticate.
Will SzymkowskiSenior Solution ArchitectCommented:
Use Active Direcotry Auditor by Lepide Software. This will be able to tell you exactly where the account is locking out on. You can download a 30 day trial at the link below...

http://www.lepide.com/lepideauditor/active-directory-auditing.html


Will.
out2getyouAuthor Commented:
Hi WIll,

I downloaded the trial and trying to run the setup.exe on a AD 2003 domain controller 32bit but its not even running.

Is this application on 64bit compatible?
Ganesamoorthy STech LeadCommented:
as i said earlier Just enable netlogon logging on both CAS/HUB servers and check the log (%windir%\debug\netlogon.log.) for lockout time, you may get the IP/System which is causing the lockout

https://support.microsoft.com/en-us/kb/109626
out2getyouAuthor Commented:
Hi Brain123422,

I have done what you have asked and its pointing to an IP address that is actually the F5 float IP.
Could the F5 be storing cached passwords?

An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            USERNAME
      Account Domain:            DOMAIN

Failure Information:
      Failure Reason:            Account locked out.
      Status:                  0xc0000234
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      F5 DNS NAME
      Source Network Address:      F5 FLOAT IP ADDRESS
      Source Port:            25823
Ganesamoorthy STech LeadCommented:
Is %windir%\debug\netlogon.log has the F5 float IP? on the lockout time with the user name
Then need get the logs from F5 to see the actual IP
out2getyouAuthor Commented:
Hi Guys, restarting a CAS/HUB box seemed to of fixed the issue. must of been cached somewhere with the old credentials. thanks for all your help!

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
out2getyouAuthor Commented:
thanks guys
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.