• Status: Solved
  • Priority: High
  • Security: Public
  • Views: 81
  • Last Modified:

User locked out within seconds, found culprit machine now what?

Hi,

I have a user that is being locked out on the domain within seconds of unlocking.
I used Netwrix Account Lockout Examiner and figured out which machine was the culprit. If I turn it off, no problems, the minute it comes back onto the network it locks the user. The machine is a remote test pc running windows 7 that he rdp's into here and there.

When I run an examination everything is "ok,nothing found" but "Examing Logon Sessions" shows this:
...Failed due to the following error: Access is denied. (Exception from HResult: 0x80070005 (E_ACCESSDENIED)

We changed his password on the domain and sync'd everything, removed all mapped drives, checked services logins, made sure there were no local logins, still no joy.

Any ideas?
0
Bill Frederick
Asked:
Bill Frederick
1 Solution
 
Edward PamiasTeam Lead RRS DeskCommented:
Check credential manager and remove anything that is there.
0
 
becraigCommented:
Are there any scheduled tasks running on the computer as well ?
0
 
Dustin SaundersDirector of OperationsCommented:
Check your security logs in event viewer.  Look for AUDIT FAILURE and see if you're getting a bunch of rogue login attempts.

If you are
1. change the RDP port or
2. update the firewall to only allow from certain IP addresses
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Bill FrederickAuthor Commented:
Thank you so much for all your comments :) I really appreciate it!
No scheduled tasks on this machine, and the credential manager has nothing in it as well. I'm checking the logs now.
0
 
Bill FrederickAuthor Commented:
Yes there a ton of audit failures, with credential violation and logon listed in the task category.
0
 
Dustin SaundersDirector of OperationsCommented:
Try locking out RDP, and unblock their account.  Should stop being blocked if that's the culprit.

Then you'll need to address the access to the computer as mentioned above (either firewall or try changing the port to something else like 3390 or some other random port).  You can change the port either on the machine itself or NAT to 3389 from a different port on your firewall.

Alternatively, you can only allow access from specific addresses as mentioned.
0
 
Bill FrederickAuthor Commented:
Spot on again, I turned off RDP services, no more lockouts :)
0
 
Dustin SaundersDirector of OperationsCommented:
Right on, so yeah looks like just a security tightening.

You can change the RDP port local on the machine as listed in this MS Guide
https://support.microsoft.com/en-us/help/306759/how-to-change-the-listening-port-for-remote-desktop

Then, say you changed it to port 63010 you can connect with <ipaddress>:63010 .

You can specify allowed connections with a rule in Windows Firewall or if you have a network firewall at the location.

You can also run the connection through a VPN tunnel rather than open to the web and connect via internal IP address if you have a BOVPN or SSLVPN option.
0
 
Bill FrederickAuthor Commented:
Awesome, thank you so so much! We have a Sonicwall here so I'll have to check on how to do all that but we are definitely heading in the right direction. Very cool!
0
 
Bill FrederickAuthor Commented:
Super quick to help me out and excellent knowledge, very much appreciated!
1
 
Dustin SaundersDirector of OperationsCommented:
No problem, happy to help.
0
 
Naveen SharmaCommented:
Good to see your issue has been resolved.

Additionally, an article for future reference what are the common root causes of account lockouts and how to resolve them: https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/

Active Directory Locked Account Investigation Process:
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now