<div>
No smartphone...<br />
<br />
Does it also mean that he is not using a Tablet (Active Sync), an (Outlook) Client from a PC or MAC?<br />
<br />
If it does not appear with information from the user, you will need to check the IIS logs on the Exchange server that corresponds to the connection (Outlook Anywhere, Active Sync, EWS, etc).
</div>


<div>
I am not an Exchange guy. I know enough to get by. We use Office365. Anything I can check there? The user does not use any mobile device. I was inform he usually log into Office365 from home &nbsp;(and never signed out), Would that cause the issue? If this is the case, how would I sign him out of Office365? Again. I am not solid in Exchange/Email administration. Our Exchange admin is out on vacation.
</div>


<div>
The DC logs pointed the unsuccessful authentication from an Exchange server... was it a local server? do you have an hybrid environment with O365 and On-primases exchange servers?
</div>


<div>
Yes, we have a hybrid environment (local Exchange server directing to O365).
</div>


<div>
cool, so anyway, if the events are coming from the local server. We need to change the exchange connection logs (IIS Logs), and then check from where the connections are coming from.
</div>


<div>
So I checked IIS logs on the local AD SYNC server, and here is what i see for the user (those in bold text has been changed to hide our info). <br />
<br />
2016-08-11 11:48:57 10.10.xx.xxx POST /autodiscover/autodiscover<wbr />.xml &amp;CorrelationID=&lt;empty&gt;;&amp;Cl<wbr />ientId=SNA<wbr />TDBH9DEYYF<wbr />VNXIAUSQ&amp;c<wbr />afeReqId=c<wbr />013a4ea-d4<wbr />4b-461b-af<wbr />cb-120b9f9<wbr />814da; 443<b> abc@testcorp.com</b> 173.51.116.242 WindowsMail/17.5.9600.2091<wbr />1 - 401 1 1909 15<br />
<br />
<br />
2016-08-11 16:47:10 10.10.xx.xxx POST /Autodiscover/Autodiscover<wbr />.xml &amp;CorrelationID=&lt;empty&gt;;&amp;Cl<wbr />ientId=DIN<wbr />EXRFO0KLKV<wbr />NBWFG&amp;cafe<wbr />ReqId=ec34<wbr />9c60-8ad3-<wbr />467c-9936-<wbr />4d8a824fa5<wbr />2e; 443 <b>XYZ\abc</b> <b>10.10.xx.xxx</b> Microsoft+Office/12.0+(Win<wbr />dows+NT+6.<wbr />1;+Microso<wbr />ft+Office+<wbr />Outlook+12<wbr />.0.6743;+P<wbr />ro) - 200 0 64 15<br />
<br />
<br />
The 10.10.xx.xxx is our subnet. Not so sure about the 173.51.116.242. Does this help? What should I check next?
</div>


<div>
You can use this freeware: <a href="https://www.netwrix.com/account_lockout_examiner.html" rel="ugc">https://www.netwrix.com/account_lockout_examiner.html</a>&nbsp;<br />
<br />
To check the locked out account.
</div>


<div>
Sorry, been out for a while (personal matter). The user is still experiencing the lock out. Last thing i tried was the below:<br />
<br />
<i>On his workstation go to<br />
Control Panel<br />
User Accounts<br />
on the left Manage your credentials<br />
<br />
Remove or <b>edit</b> all credentials linked to outlook &quot;MS.Outlook&quot;</i><br />
<br />
I only edit his password to his newly changed domain password. He is still experiencing lock out issues. I think what I will try next is to remove credentials linked to outlook &quot;MS.Outlook&quot;.
</div>


<div>
My original suggestion was to remove the stored credentials next time you open outlook remember to tick 'Remember password'<br />
<br />
DirkMare
</div>


<div>
Have you checked the other software which may cache the credentials like:<br />
<br />
iTunes, iPhone and perhaps any other software which uses the AD authentication for Proxy connection ?
</div>


<div>
This user continues to get locked out, and when checking DC logs, the source of the lock out still point to the Sync server for Exchange. We have a hybrid environment with 0365 and On-primases exchange servers.<br />
<br />
I tried removing all stored credentials in Credential Manager, and even gone as far as recreating a new Windows profile for the user, but he continues to get locked out. This is annoying.
</div>


<div>
Will recreating the AD account resolve the issue? Is there any other free tool that might help troubleshoot this? The only tool I've used so far is <b>lockoutstatus.exe</b>. Can I check anything in O365 EMC? Logs?
</div>


<div>
Check on each domain controller for latest security event ID 4740 which can tell you the source compter from where attempt were happening with wrong password and account is getting locked.<br />
<br />
Then check all those computers for presense of wrong password such as service, schedule tasks, any application and possible virus infections if any
</div>


<div>
Windos 'run as service; stores clear password and makes guesses on password change.
</div>


<div>
Mahesh, <br />
<br />
I checked all DC for Event 4740, and it still trace back to our AD Sync server. The user does not have access to RDP or log into that server. <br />
<br />
Amit,<br />
<br />
I want to try your method, but if I change the SAM account name, what would be impacted? His email is still using the current SAM account name. Will this impact his email access?
</div>


<div>
Renaming will not cause any profile issue. Only thing is change, user now need to login using User1.
</div>


<div>
i, ve suffered similar issues and I always<br />
import exchange activesync log files to an excel sheet<br />
order by username and find http status codes 4xx<br />
use a mac vendor lookup web page to get the lockout source hardware vendor<br />
punish the worker whom cell phone was &quot;stolen&quot; last year and his daughter is using today.<br />
<br />
im sorry fory bad english
</div>


<div>
Renaming user sam account name is the only option to resolve this issue.
</div>


<div>
Don't forget to check user's windows credentials manager.
</div>


<div>
I had no choice but to rename the SAM account, which resolved the user's issue.
</div>


<div>
I had a similar issue every time a particular user would connect to his Outlook after logging on, his account wouldn’t let him connect to his email. I could unlock his account and then he could connect to his email from then on until the next day. The error messages on the server pointed to the email system as the lockout cause. &nbsp;I renamed “JOHN” to “JOHN1” and the problem stopped. &nbsp;Then I renamed the account back to “JOHN” and it still works.
</div>


<div>
<div class="content wysiwyg-content">
Each day, a particular user constantly get locked out of his computer. We always need to unlock his domain account to allow him to log in. I believe he has a session somewhere on another machine, where we need to log him out. This happened after he changed his domain password. <br />
<br />
I use a lockout tool to trace the source:<br />
<a href="https://filedb.experts-exchange.com/incoming/2016/08_w33/1111141/2016-08-11_9-24-29.png" target="_blank" title="2016-08-11_9-24-29.png (90 KB)"><img alt="2016-08-11_9-24-29.png" class="file-block lazyload" style="max-width: 800px;" data-src="https://filedb.experts-exchange.com/incoming/2016/08_w33/800_1111141/2016-08-11_9-24-29.png" /></a><br />
I then check the DC security log, and the client address (highlighted) points to an Exchange server. However, the user would not have access to log into our server. So, I am thinking that maybe he needs to set his new password on a mobile device (cell phone). However, the user mention that he does not use email on his cell. I know the lock out is occuring somewhere within email, but cannot trace exactly where. Anything I can try to resolve this issue? <br />
<a href="https://filedb.experts-exchange.com/incoming/2016/08_w33/1111143/2016-08-11_9-25-50.png" target="_blank" title="2016-08-11_9-25-50.png (25 KB)"><img alt="2016-08-11_9-25-50.png" class="file-block lazyload" style="max-width: 629px;" data-src="https://filedb.experts-exchange.com/incoming/2016/08_w33/1111143/2016-08-11_9-25-50.png" /></a>
</div>
</div>


2016-08-11_9-25-50.png

2016-08-11_9-24-29.png

Each day, a particular user constantly get locked out of his computer. We always need to unlock his domain account to allow him to log in. I believe he has a session somewhere on another machine, where we need to log him out. This happened after he changed his domain password. 

I use a lockout tool to trace the source:


I then check the DC security log, and the client address (highlighted) points to an Exchange server. However, the user would not have access to log into our server. So, I am thinking that maybe he needs to set his new password on a mobile device (cell phone). However, the user mention that he does not use email on his cell. I know the lock out is occuring somewhere within email, but cannot trace exactly where. Anything I can try to resolve this issue? 


A domain user account constantly getting locked out.

Windows Server 2008 and Windows Server 2008 R2, based on the Microsoft Vista codebase, is the last 32-bit server operating system released by Microsoft. It has a number of versions, including including Foundation, Standard, Enterprise, Datacenter, Web, HPC Server, Itanium and Storage; new features included server core installation and Hyper-V.

Windows Server 2008

Active Directory (AD) is a Microsoft brand for identity-related capabilities. In the on-premises world, Windows Server AD provides a set of identity capabilities and services, and is hugely popular (88% of Fortune 1000 and 95% of enterprises use AD). This topic includes all things Active Directory including DNS, Group Policy, DFS, troubleshooting, ADFS, and all other topics under the Microsoft AD and identity umbrella.

Active Directory

Exchange is the server side of a collaborative application product that is part of the Microsoft Server infrastructure. Exchange's major features include email, calendaring, contacts and tasks, support for mobile and web-based access to information, and support for data storage.

Exchange

Within Internet message handling services (MHS), a message transfer agent or mail transfer agent (MTA) or mail relay is software that transfers electronic mail messages from one computer to another using a client–server application architecture. A MTA implements both the client (sending) and server (receiving) portions of the Simple Mail Transfer Protocol (SMTP). The terms mail server, mail exchanger, and MX host may also refer to a computer performing the MTA function. The Domain Name System (DNS) associates a mail server to a domain with mail exchanger (MX) resource records containing the domain name of a host providing MTA services.

Email Servers

Interactions between email servers and clients are governed by email protocols. The three most common email protocols are POP, IMAP and MAPI. Most email software operates under one of these (and many products support more than one).  The correct protocol must be selected, and correctly configured, if you want your email account to work.

Email Protocols

An email client, email reader or more formally mail user agent (MUA) is a computer program used to access and manage a user's email. A web application that provides message management, composition, and reception functions is sometimes also considered an email client, but more commonly referred to as webmail.

Internet / Email Software

An email client, email reader or more formally mail user agent (MUA) is a computer program in the category of groupware environments used to access and manage a user's email. A web application that provides message management, composition, and reception functions may internally act as an email client; as a whole, it is commonly referred to as webmail. Likewise, email client may be referred to a piece of computer hardware or software whose primary or most visible role is to work as an email client. Email clients can also have other systems, like calendars, notes and contact managers.

Email Clients

Email Software

The Microsoft Server topic includes all of the legacy versions of the operating system, including the Windows NT 3.1, NT 3.5, NT 4.0 and Windows 2000 and Windows Home Server versions.