how can I tell why a user account keeps getting locked out?

Xetroximyn
Xetroximyn used Ask the Experts™
on
I have a user account that keeps getting locked out within a minute or so.... I think there is some saved password somewhere maybe or something.... is there a way I can tell on the DC from where the bad login attempts are coming?  Like what IP address?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Look in Control Panel, Credential Manager on the machine for an extra account. Delete the account anyway in Credential Manager, shut down, start up, log in and test.
yo_beeDirector of Information Technology
Commented:
Use Account Lockout and Management Tools
https://www.microsoft.com/en-us/download/details.aspx?id=18465

This will see the time it happens and the event logs giving you some insight.

Look at the security logs and filter for audit failures.
You will see IP of the machine.

Sometimes the user could be logged into two computers and one has an aged account logged in.
There also could be a service or scheduled task that runs with this user.
It could also be someone trying to hack into your system via RDP. Have a look at Event Viewer on your server to see if there are failed Remote Access attempts.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

As already mentioned use the account lockout tool to find out where it is being locked out and check the event log. i bet they have drive mapping somewhere using their logon details.
Tech Lead
Commented:
These are possibilies about lockout issue,
-Mapped network drives
-Logon scripts that map network drives
-RunAs shortcuts
-Accounts that are used for service account logons
-Processes on the client computers
-Programs that may pass user credentials to a centralized network program or middle-tier application layer
-Active sync devices (cell phone,etc..)  

You can use LockoutStatus.exe which is part of Account Lockout and Management tools to identify domain controller that are involved in lock-out user account.

If you have audit account logon security policy enabled, then you can proceed to filter through the security log of domain controller identify earlier for event related to lockout of this account.
 
The event log will provide you the error code which can help you identify reason for account lockout and source IP addresss/computer to help you identify which computer that generate the invalid logon attempt.

Trace the source of a bad password and account lockout in AD: https://community.spiceworks.com/how_to/48758-trace-the-source-of-a-bad-password-and-account-lockout-in-ad

Identify the source of Account Lockouts in Active Directory: https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

How To Resolve Active Directory Account Lockouts With PowerShell: http://www.tomsitpro.com/articles/powershell-active-directory-lockouts,2-848.html

Hope this helps!

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial