User locked out within seconds, found culprit machine now what?


I have a user that is being locked out on the domain within seconds of unlocking.
I used Netwrix Account Lockout Examiner and figured out which machine was the culprit. If I turn it off, no problems, the minute it comes back onto the network it locks the user. The machine is a remote test pc running windows 7 that he rdp's into here and there.

When I run an examination everything is "ok,nothing found" but "Examing Logon Sessions" shows this:
...Failed due to the following error: Access is denied. (Exception from HResult: 0x80070005 (E_ACCESSDENIED)

We changed his password on the domain and sync'd everything, removed all mapped drives, checked services logins, made sure there were no local logins, still no joy.

Any ideas?
Bill FrederickAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Edward PamiasTeam Lead RRS DeskCommented:
Check credential manager and remove anything that is there.
Are there any scheduled tasks running on the computer as well ?
Dustin SaundersDirector of OperationsCommented:
Check your security logs in event viewer.  Look for AUDIT FAILURE and see if you're getting a bunch of rogue login attempts.

If you are
1. change the RDP port or
2. update the firewall to only allow from certain IP addresses
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Bill FrederickAuthor Commented:
Thank you so much for all your comments :) I really appreciate it!
No scheduled tasks on this machine, and the credential manager has nothing in it as well. I'm checking the logs now.
Bill FrederickAuthor Commented:
Yes there a ton of audit failures, with credential violation and logon listed in the task category.
Dustin SaundersDirector of OperationsCommented:
Try locking out RDP, and unblock their account.  Should stop being blocked if that's the culprit.

Then you'll need to address the access to the computer as mentioned above (either firewall or try changing the port to something else like 3390 or some other random port).  You can change the port either on the machine itself or NAT to 3389 from a different port on your firewall.

Alternatively, you can only allow access from specific addresses as mentioned.
Bill FrederickAuthor Commented:
Spot on again, I turned off RDP services, no more lockouts :)
Dustin SaundersDirector of OperationsCommented:
Right on, so yeah looks like just a security tightening.

You can change the RDP port local on the machine as listed in this MS Guide

Then, say you changed it to port 63010 you can connect with <ipaddress>:63010 .

You can specify allowed connections with a rule in Windows Firewall or if you have a network firewall at the location.

You can also run the connection through a VPN tunnel rather than open to the web and connect via internal IP address if you have a BOVPN or SSLVPN option.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Bill FrederickAuthor Commented:
Awesome, thank you so so much! We have a Sonicwall here so I'll have to check on how to do all that but we are definitely heading in the right direction. Very cool!
Bill FrederickAuthor Commented:
Super quick to help me out and excellent knowledge, very much appreciated!
Dustin SaundersDirector of OperationsCommented:
No problem, happy to help.
Naveen SharmaCommented:
Good to see your issue has been resolved.

Additionally, an article for future reference what are the common root causes of account lockouts and how to resolve them:

Active Directory Locked Account Investigation Process:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.