Avatar of Donna H
Donna H
Flag for United States of America asked on

AD Account lockout

I have a user that is getting repeatedly locked out of his Active Directory account.  I have checked his mobile phone and removed and re-added the exchange account with the correct credentials.  I have run rundll32.exe keymgr.dll, KRShowKeyMgr --  and removed all cached credentials.  I have deleted the cached passwords from Internet Explorer.  I have checked for any mapped drives and I have removed and re-added the Outlook profile.  

I h ave also downloaded and ran the lockoutexaminer.  This shows the orig. lock as one of our domain controllers.  

I have checked the security event log on the DC for event  4740 and it shows the lockout and the caller computer name is our Exchange server.

The lockouts started happening after the last password change.  I also tried changing the password back to the original password,but that did not help either

The lockout appears to occur at regular 15 minute intervals.  

Is there anything else I can check to find the source of the account lockout?

Thanks
ExchangeActive DirectoryWindows Server 2008

Avatar of undefined
Last Comment
Donna H

8/22/2022 - Mon
Shaun Vermaak

Jeff Glover

Perhaps searching the IIS logs on your Exchange server will point you in the right direction.Perhaps he has an iPad or some other thing configured and forgot. I would search the logs for his logon name and see what is trying to use ActiveSync.
Donna H

ASKER
Thanks Shaun.

I ran the event comb but I didnt get any results.  I am checking the rest of the solutions in your article.
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Donna H

ASKER
Thanks Jeff,

I will try checking the IIS logs on the Exchange server.
ASKER CERTIFIED SOLUTION
E A

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
compdigit44

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Shaun Vermaak

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
SOLUTION
Jeff Glover

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
compdigit44

You could also try to install Network Monitor on your DC's unlock  the account then start the captures  as a last resort
Donna H

ASKER
Shaun,  I have enabled auditing on the client workstation and auditing is turned on for the DC and Exchange servers
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Donna H

ASKER
Compdigit,

ran psexec,  results showed Currently stored credentials as * NONE*