User account is getting lockout.

I have a user that keep getting lock out of AD, even if I reset password or unlock it .

System:
- Event ID: 12294  - Source: Directory-Services-SAM


Security:
- Event ID: 4740   - Source: Microsoft Windows security auditing.
MD JohnsonAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Edward van BiljonMessaging and Collaboration Technical Lead (Exchange MVP)Commented:
Hi

It can be a device with an email client or credentials in credential manager that is locking it
0
masnrockCommented:
Have you been looking at where the attempts are coming from that leads to the locking? Edward has mentioned some valid possibilities.
0
Thomas Zucker-ScharffSolution GuideCommented:
Yes.  I have seen this too many times.  The user has their phone or a pad set to check email and when the AD password is changed the device tries to check the email with the old creds, locking the account after x tries.  Phones and pads need to be put in airplane mode or have the email account deleted prior to changing a password in AD.
0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

MD JohnsonAuthor Commented:
This lockout attempt  is coming from a computer, not from a email.
0
MD JohnsonAuthor Commented:
Creditional Manager has no passwords in it all .
0
masnrockCommented:
This lockout attempt  is coming from a computer, not from a email.
Is it definitely the computer that you're working on, or is there a possibility of it being a different one? And are credentials that are not current stored in any program on said computer? Or even in a software application?

As others have cited, check any mobile devices anyway the user has anyway.
0
DonNetwork AdministratorCommented:
Check if the culprit got saved to the 'System' account

https://btburnett.com/2014/05/windows-domain-account-lockout-mystery.html
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
Before going into other details, please go through my Account Lockout Investigation process
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
0
MD JohnsonAuthor Commented:
Do anyone else has a answer?
0
David Johnson, CD, MVPOwnerCommented:
anything in task scheduler or services using the user account?
0
Mitul PrajapatiIT SupervisorCommented:
Hi,

Open Event viewer in your server, In windows logs --> Security logs and check out for the event ID 4776.

Go to the details --> XML View and check the username and the computer.

If you find any unknown user or computer here, it might be external brute force attack. I think, you need to tight the security of your firewall.

Good Luck.
0
MiamiCoCommented:
It could be any application where AD credentials are used. For example, if you use proxy, anything connecting to the internet with AD credentials can be the reason (application updates etc.).
0
Ganesamoorthy STech LeadCommented:
Since you know the source of lockout, Just restart and check again? on that system somewhere the old password been used, you have to check application/schedule task/services/mapped drive and any other app stored old password, you can rebuild the system if you find deficult to find and fix the issue
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical Specialist/DeveloperCommented:
Did you try NetWrix Account Lockout Examiner from 4.1 in my article listed above?
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows OS

From novice to tech pro — start learning today.