Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

A domain user account constantly getting locked out.

Posted on 2016-08-11
25
Medium Priority
?
4,811 Views
Last Modified: 2016-09-26
Each day, a particular user constantly get locked out of his computer. We always need to unlock his domain account to allow him to log in. I believe he has a session somewhere on another machine, where we need to log him out. This happened after he changed his domain password.

I use a lockout tool to trace the source:
2016-08-11_9-24-29.png
I then check the DC security log, and the client address (highlighted) points to an Exchange server. However, the user would not have access to log into our server. So, I am thinking that maybe he needs to set his new password on a mobile device (cell phone). However, the user mention that he does not use email on his cell. I know the lock out is occuring somewhere within email, but cannot trace exactly where. Anything I can try to resolve this issue?
2016-08-11_9-25-50.png
0
Comment
Question by:joukiejouk
  • 8
  • 4
  • 3
  • +7
24 Comments
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752620
No smartphone...

Does it also mean that he is not using a Tablet (Active Sync), an (Outlook) Client from a PC or MAC?

If it does not appear with information from the user, you will need to check the IIS logs on the Exchange server that corresponds to the connection (Outlook Anywhere, Active Sync, EWS, etc).
0
 

Author Comment

by:joukiejouk
ID: 41752642
I am not an Exchange guy. I know enough to get by. We use Office365. Anything I can check there? The user does not use any mobile device. I was inform he usually log into Office365 from home  (and never signed out), Would that cause the issue? If this is the case, how would I sign him out of Office365? Again. I am not solid in Exchange/Email administration. Our Exchange admin is out on vacation.
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752654
The DC logs pointed the unsuccessful authentication from an Exchange server... was it a local server? do you have an hybrid environment with O365 and On-primases exchange servers?
0
Get free NFR key for Veeam Availability Suite 9.5

Veeam is happy to provide a free NFR license (1 year, 2 sockets) to all certified IT Pros. The license allows for the non-production use of Veeam Availability Suite v9.5 in your home lab, without any feature limitations. It works for both VMware and Hyper-V environments

 

Author Comment

by:joukiejouk
ID: 41752668
Yes, we have a hybrid environment (local Exchange server directing to O365).
0
 
LVL 14

Expert Comment

by:Schnell Solutions
ID: 41752674
cool, so anyway, if the events are coming from the local server. We need to change the exchange connection logs (IIS Logs), and then check from where the connections are coming from.
0
 

Author Comment

by:joukiejouk
ID: 41752701
So I checked IIS logs on the local AD SYNC server, and here is what i see for the user (those in bold text has been changed to hide our info).

2016-08-11 11:48:57 10.10.xx.xxx POST /autodiscover/autodiscover.xml &CorrelationID=<empty>;&ClientId=SNATDBH9DEYYFVNXIAUSQ&cafeReqId=c013a4ea-d44b-461b-afcb-120b9f9814da; 443 abc@testcorp.com 173.51.116.242 WindowsMail/17.5.9600.20911 - 401 1 1909 15


2016-08-11 16:47:10 10.10.xx.xxx POST /Autodiscover/Autodiscover.xml &CorrelationID=<empty>;&ClientId=DINEXRFO0KLKVNBWFG&cafeReqId=ec349c60-8ad3-467c-9936-4d8a824fa52e; 443 XYZ\abc 10.10.xx.xxx Microsoft+Office/12.0+(Windows+NT+6.1;+Microsoft+Office+Outlook+12.0.6743;+Pro) - 200 0 64 15


The 10.10.xx.xxx is our subnet. Not so sure about the 173.51.116.242. Does this help? What should I check next?
0
 
LVL 16

Assisted Solution

by:Dirk Mare
Dirk Mare earned 400 total points
ID: 41753564
On his workstation go to
Control Panel
User Accounts
on the left Manage your credentials

Remove or edit all credentials linked to outlook "MS.Outlook"

DirkMare
0
 
LVL 14

Assisted Solution

by:Schnell Solutions
Schnell Solutions earned 400 total points
ID: 41754076
That IP might corresponds to the public ip that is used from the client to unsuccessfully connect to your exchange.

It means that somewhere these logins are trying to complete. If it is a device of your user the password needs to be updated or the credential eliminated like 'Dirk mare' specified.

You also need to be aware, that if your mail services are published to the internet, and there is not a solution limiting these connections, it is possible that anyone knowing your web service URL and a user account of your domain can easily conduct a denial of service attack for that account... blocking it.
0
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41754813
You can use this freeware: https://www.netwrix.com/account_lockout_examiner.html 

To check the locked out account.
0
 

Author Comment

by:joukiejouk
ID: 41786459
Sorry, been out for a while (personal matter). The user is still experiencing the lock out. Last thing i tried was the below:

On his workstation go to
Control Panel
User Accounts
on the left Manage your credentials

Remove or edit all credentials linked to outlook "MS.Outlook"


I only edit his password to his newly changed domain password. He is still experiencing lock out issues. I think what I will try next is to remove credentials linked to outlook "MS.Outlook".
0
 
LVL 16

Expert Comment

by:Dirk Mare
ID: 41786503
My original suggestion was to remove the stored credentials next time you open outlook remember to tick 'Remember password'

DirkMare
0
 
LVL 8

Expert Comment

by:Senior IT System Engineer
ID: 41787138
Have you checked the other software which may cache the credentials like:

iTunes, iPhone and perhaps any other software which uses the AD authentication for Proxy connection ?
0
 

Author Comment

by:joukiejouk
ID: 41788415
This user continues to get locked out, and when checking DC logs, the source of the lock out still point to the Sync server for Exchange. We have a hybrid environment with 0365 and On-primases exchange servers.

I tried removing all stored credentials in Credential Manager, and even gone as far as recreating a new Windows profile for the user, but he continues to get locked out. This is annoying.
0
 

Author Comment

by:joukiejouk
ID: 41789997
Will recreating the AD account resolve the issue? Is there any other free tool that might help troubleshoot this? The only tool I've used so far is lockoutstatus.exe. Can I check anything in O365 EMC? Logs?
0
 
LVL 38

Expert Comment

by:Mahesh
ID: 41791561
Check on each domain controller for latest security event ID 4740 which can tell you the source compter from where attempt were happening with wrong password and account is getting locked.

Then check all those computers for presense of wrong password such as service, schedule tasks, any application and possible virus infections if any
1
 
LVL 44

Accepted Solution

by:
Amit earned 800 total points
ID: 41791568
If you are unable to find source. Last option is to rename the SAM account name for this user. Don't need to create new account.

Open user properties in AD, click on account tab, append any new digit or letter at the end of the name. Like change it from User to User1. Ask user to log off and login back with User1 again. Rest will be same for user.
1
 
LVL 62

Expert Comment

by:gheist
ID: 41791666
Windos 'run as service; stores clear password and makes guesses on password change.
0
 

Author Comment

by:joukiejouk
ID: 41791775
Mahesh,

I checked all DC for Event 4740, and it still trace back to our AD Sync server. The user does not have access to RDP or log into that server.

Amit,

I want to try your method, but if I change the SAM account name, what would be impacted? His email is still using the current SAM account name. Will this impact his email access?
0
 
LVL 44

Expert Comment

by:Amit
ID: 41791784
Renaming will not cause any profile issue. Only thing is change, user now need to login using User1.
0
 
LVL 38

Assisted Solution

by:Hypercat (Deb)
Hypercat (Deb) earned 400 total points
ID: 41791820
I didn't read this whole thread, but I've had experience with this issue at one of my clients.  The user was getting locked out and in her case she wasn't even using ActiveSync or any other mobile device.  I concluded that it was likely someone trying to use my client's email server to relay mail, possibly using a mobile device to connect, and was trying to use her user name to authenticate.  It was a little hazy and I had trouble tracking the activity. What I did to fix the issue was to change her login ID; IIRC I just added her middle initial (the original ID was first initial/last name).  I did NOT change her email address, and nothing else internally (roaming profile, folder redirection, etc., etc.) was affected.  This instantly fixed the issue. It seems that someone else earlier in the thread has suggested this, and I just wanted to chime in and say that it worked for me and I hope it does the same for you.
1
 
LVL 3

Expert Comment

by:Guillermo Feijóo
ID: 41792545
i, ve suffered similar issues and I always
import exchange activesync log files to an excel sheet
order by username and find http status codes 4xx
use a mac vendor lookup web page to get the lockout source hardware vendor
punish the worker whom cell phone was "stolen" last year and his daughter is using today.

im sorry fory bad english
1
 
LVL 44

Expert Comment

by:Amit
ID: 41814835
Renaming user sam account name is the only option to resolve this issue.
0
 
LVL 30

Expert Comment

by:Thomas Zucker-Scharff
ID: 41814974
Don't forget to check user's windows credentials manager.
1
 

Author Closing Comment

by:joukiejouk
ID: 41816473
I had no choice but to rename the SAM account, which resolved the user's issue.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Stellar Exchange Toolkit: this 5 in 1 toolkit comes loaded with mega-software tool. Here’s an introduction to tools’ usage and advantages:
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Suggested Courses

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question