NIS_RULE
asked on
AD account lockout instantly for one user on some domain controller
So we have a very strange situation. One user's account is getting locked out continuously and instantly from the moment we unlock it. We have an event ID 4767 where the account was unlocked, then instantly an event 4740 where that account is locked out.
Doesn't say what locked it or why.
This is only happening on 3 out of 5 domain controllers. The other two domain controllers will show status unlocked until the next sync then it will show locked.
We have turned off all computers this users has ever touched, turned off his phone, ipad and anything else that would have ever had his account info on it.
It's still getting locked out on those 3 domain controllers.
Anyone seen this behavior before? Any suggestions on what could be causing it and how to resolve it?
We are on windows 2012 R2 domain/forest functional level, 4 AD sites, the 3 DC's that are locking out instantly are spread out among 2 sites. the 2 DC's that are not locking out instantly are at the remaining sites.
all FSMO roles are on one of the DC's that locks out the account instantly.
Doesn't say what locked it or why.
This is only happening on 3 out of 5 domain controllers. The other two domain controllers will show status unlocked until the next sync then it will show locked.
We have turned off all computers this users has ever touched, turned off his phone, ipad and anything else that would have ever had his account info on it.
It's still getting locked out on those 3 domain controllers.
Anyone seen this behavior before? Any suggestions on what could be causing it and how to resolve it?
We are on windows 2012 R2 domain/forest functional level, 4 AD sites, the 3 DC's that are locking out instantly are spread out among 2 sites. the 2 DC's that are not locking out instantly are at the remaining sites.
all FSMO roles are on one of the DC's that locks out the account instantly.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Just to make sure, I am not referring to auditing. I am referring to NTLM logging
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
No comment has been added to this question in more than 21 days, so it is now classified as abandoned.
I have recommended this question be closed as follows:
Split:
-- Ajit Singh (https:#a42343088)
-- John Tsioumpris (https:#a42336341)
-- Shaun Vermaak (https:#a42335991)
-- Steve McCarthy MCSE MCSA MCP x8 Network+ i-Net+ A+ CIWA CCNA FDLE FCIC HIPAA Security Officer (https:#a42336247)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
I have recommended this question be closed as follows:
Split:
-- Ajit Singh (https:#a42343088)
-- John Tsioumpris (https:#a42336341)
-- Shaun Vermaak (https:#a42335991)
-- Steve McCarthy MCSE MCSA MCP x8 Network+ i-Net+ A+ CIWA CCNA FDLE FCIC HIPAA Security Officer (https:#a42336247)
If you feel this question should be closed differently, post an objection and the moderators will review all objections and close it as they feel fit. If no one objects, this question will be closed automatically the way described above.
Pber
Experts-Exchange Cleanup Volunteer
ASKER
Here's a sample of the logs from the DC. I changed the machine name and user name
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/18/2017 4:12:59 PM
Event ID: 4767
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DC1.Myschool.edu
Description:
A user account was unlocked.
Subject:
Security ID: Myschool\admin
Account Name: admin
Account Domain: Myschool
Logon ID: 0x8A1974
Target Account:
Security ID: Myschool\User1
Account Name: User1
Account Domain: Myschool
Log Name: Security
Source: Microsoft-Windows-Security
Date: 10/18/2017 4:12:59 PM
Event ID: 4740
Task Category: User Account Management
Level: Information
Keywords: Audit Success
User: N/A
Computer: DC1.Myschool.edu
Description:
A user account was locked out.
Subject:
Security ID: SYSTEM
Account Name: DC1$
Account Domain: Myschool
Logon ID: 0x3E7
Account That Was Locked Out:
Security ID: Myschool\User1
Account Name: User1
Additional Information:
Caller Computer Name: WORKSTATION