AD 2003 - User AD account continues to get locked.

Hi Guys,

A user account continues to get locked. She changed her password recently but cant pin point what is causing the issue.
I have switched off her mobile, laptop and iPad but continues to lock.

The email notifications say that it comes from our F5 which load balances two CAS/HUB servers for exchange 2010.

this is a copy paste of the email:

Alert: ACCOUNT LOCKED
Source: DC.domain.com.au
Path:
Last modified by: System
Last modified time: 13/10/2015 11:53:12 AM Alert description: Event Description: User Account Locked Out:

      Target Account Name:       USERNAME

      Target Account ID:      DOMAIN\USERNAME

      Caller Machine Name:       F5 DNS name

      Caller User Name:      Domain Controller

      Caller Domain:      DOMAIN

      Caller Logon ID:      (0x0,0x3E7)

Thanks guys.
out2getyouAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sekar ChinnakannuStaff EngineerCommented:
Try to get the MAC details for the device and fix the issue. Most of time it may be a wireless devices where cause the issue.
0
out2getyouAuthor Commented:
Hi,

How do I get the MAC address?
0
Sekar ChinnakannuStaff EngineerCommented:
Wireless team should have the details based on user id.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

WatawCommented:
Probably the user have login on other workstations and changed the password. Make sure he/she not login on other workstations.
0
Ganesamoorthy STech LeadCommented:
Check the Caller Machine Name from lockout event on Domain Controller and check the security and others logs why it uses the old password

Enable netlogon logs on Caller Machine and see logs @ lockout date and time to find the correct system causing the lockout

http://www.windowstricks.in/2009/07/account-lockout.html
0
James NewportCommented:
Is this just a PC network or is there any mac's on the network? Could be an old cached password, especially if you have a mac on network with the password stored in keychain
0
out2getyouAuthor Commented:
Hi Guys,

The caller machine name is pointing to the F5 IP / DNS name where it load balances both CAS/HUB servers. The exact mac address of the device that is locking it is what I need as I have checked her mobile, laptop, iPad. Not sure what else can be the cause. There are no Mac's on the network and she uses her home machine for web mail but it got whipped over the weekend so there shouldnt be anything on the home machine trying to authenticate.
0
Will SzymkowskiSenior Solution ArchitectCommented:
Use Active Direcotry Auditor by Lepide Software. This will be able to tell you exactly where the account is locking out on. You can download a 30 day trial at the link below...

http://www.lepide.com/lepideauditor/active-directory-auditing.html


Will.
0
out2getyouAuthor Commented:
Hi WIll,

I downloaded the trial and trying to run the setup.exe on a AD 2003 domain controller 32bit but its not even running.

Is this application on 64bit compatible?
0
Ganesamoorthy STech LeadCommented:
as i said earlier Just enable netlogon logging on both CAS/HUB servers and check the log (%windir%\debug\netlogon.log.) for lockout time, you may get the IP/System which is causing the lockout

https://support.microsoft.com/en-us/kb/109626
0
out2getyouAuthor Commented:
Hi Brain123422,

I have done what you have asked and its pointing to an IP address that is actually the F5 float IP.
Could the F5 be storing cached passwords?

An account failed to log on.

Subject:
      Security ID:            NULL SID
      Account Name:            -
      Account Domain:            -
      Logon ID:            0x0

Logon Type:                  3

Account For Which Logon Failed:
      Security ID:            NULL SID
      Account Name:            USERNAME
      Account Domain:            DOMAIN

Failure Information:
      Failure Reason:            Account locked out.
      Status:                  0xc0000234
      Sub Status:            0x0

Process Information:
      Caller Process ID:      0x0
      Caller Process Name:      -

Network Information:
      Workstation Name:      F5 DNS NAME
      Source Network Address:      F5 FLOAT IP ADDRESS
      Source Port:            25823
0
Ganesamoorthy STech LeadCommented:
Is %windir%\debug\netlogon.log has the F5 float IP? on the lockout time with the user name
Then need get the logs from F5 to see the actual IP
0
out2getyouAuthor Commented:
Hi Guys, restarting a CAS/HUB box seemed to of fixed the issue. must of been cached somewhere with the old credentials. thanks for all your help!
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
out2getyouAuthor Commented:
thanks guys
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.