Bill Frederick
asked on
User locked out within seconds, found culprit machine now what?
Hi,
I have a user that is being locked out on the domain within seconds of unlocking.
I used Netwrix Account Lockout Examiner and figured out which machine was the culprit. If I turn it off, no problems, the minute it comes back onto the network it locks the user. The machine is a remote test pc running windows 7 that he rdp's into here and there.
When I run an examination everything is "ok,nothing found" but "Examing Logon Sessions" shows this:
...Failed due to the following error: Access is denied. (Exception from HResult: 0x80070005 (E_ACCESSDENIED)
We changed his password on the domain and sync'd everything, removed all mapped drives, checked services logins, made sure there were no local logins, still no joy.
Any ideas?
I have a user that is being locked out on the domain within seconds of unlocking.
I used Netwrix Account Lockout Examiner and figured out which machine was the culprit. If I turn it off, no problems, the minute it comes back onto the network it locks the user. The machine is a remote test pc running windows 7 that he rdp's into here and there.
When I run an examination everything is "ok,nothing found" but "Examing Logon Sessions" shows this:
...Failed due to the following error: Access is denied. (Exception from HResult: 0x80070005 (E_ACCESSDENIED)
We changed his password on the domain and sync'd everything, removed all mapped drives, checked services logins, made sure there were no local logins, still no joy.
Any ideas?
Edward Pamias
Check credential manager and remove anything that is there.
Are there any scheduled tasks running on the computer as well ?
Check your security logs in event viewer. Look for AUDIT FAILURE and see if you're getting a bunch of rogue login attempts.
If you are
1. change the RDP port or
2. update the firewall to only allow from certain IP addresses
If you are
1. change the RDP port or
2. update the firewall to only allow from certain IP addresses
ASKER
Thank you so much for all your comments :) I really appreciate it!
No scheduled tasks on this machine, and the credential manager has nothing in it as well. I'm checking the logs now.
No scheduled tasks on this machine, and the credential manager has nothing in it as well. I'm checking the logs now.
ASKER
Yes there a ton of audit failures, with credential violation and logon listed in the task category.
Try locking out RDP, and unblock their account. Should stop being blocked if that's the culprit.
Then you'll need to address the access to the computer as mentioned above (either firewall or try changing the port to something else like 3390 or some other random port). You can change the port either on the machine itself or NAT to 3389 from a different port on your firewall.
Alternatively, you can only allow access from specific addresses as mentioned.
Then you'll need to address the access to the computer as mentioned above (either firewall or try changing the port to something else like 3390 or some other random port). You can change the port either on the machine itself or NAT to 3389 from a different port on your firewall.
Alternatively, you can only allow access from specific addresses as mentioned.
ASKER
Spot on again, I turned off RDP services, no more lockouts :)
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Awesome, thank you so so much! We have a Sonicwall here so I'll have to check on how to do all that but we are definitely heading in the right direction. Very cool!
ASKER
Super quick to help me out and excellent knowledge, very much appreciated!
No problem, happy to help.
Good to see your issue has been resolved.
Additionally, an article for future reference what are the common root causes of account lockouts and how to resolve them: https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/
Active Directory Locked Account Investigation Process:
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
Additionally, an article for future reference what are the common root causes of account lockouts and how to resolve them: https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/
Active Directory Locked Account Investigation Process:
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html