Avatar of bankadmin
bankadmin
Flag for United States of America asked on

User account locks out repeatedly on our network after password change

I have a user account that is locking out repeatedly every couple of mins I was able to track it down to a server on our network attempting to autheticate with the user account. There isnt any reason why this should be happening I went through every service on the server and the name is not associated with it in any way it started when the accounts password was changed. the logs dont give me much detail at all as to what service/process is trying to use that account I have ran malwarebytes on it and a couple of reg settings were flagged and I removed them our virus scans have not found anything either. Just to verify I did shut the server down after hours and the account did not lock until I started the server backup so its only this one device. Any ideas of what else to look for?
Active Directory

Avatar of undefined
Last Comment
bankadmin

8/22/2022 - Mon
Mal Osborne

You COULD change the user name. Just add an x at the end or something. That would at least get them up and running again while you troubleshoot. With a different name, there will be no more lockouts.
bankadmin

ASKER
Thanks for the suggestion Im more concerned with what maybe locking it
Mal Osborne

Any scheduled tasks that have been set up to run under that user?
Your help has saved me hundreds of hours of internet surfing.
fblack61
bankadmin

ASKER
I have also verify no scheduled tasks are assigned to the user
John

I would triple check viruses and malware, but not likely given your first post.

The account did not lock until I started the server backup so its only this one device.

That would point to a damaged user profile and I would just replace it.
Mal Osborne

How about a search of the registry and file system for a text string corresponding to the user name? Would possibly take a while,  but might uncover something.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
bankadmin

ASKER
The user in question doesnt logon to this server there is no folder with the username in c:\users. The user however does have an admin account and could have mistakenly used his user account for something but I do not see anything in cred manager
Mal Osborne

Credentials for a backup agent?
bankadmin

ASKER
No that wouldnt be the case here
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes
Mal Osborne

Yeah, I would be trying to "brute force" with a registry and file system search for the user name. Chances seem pretty good that it will be there somewhere, maybe in a script, or .ini file or something.
Jess Dodson

While it's not showing in the standard credential manager, it might be hidden - worth while checking the SYSTEM account store credentials:
* Download the psexec tool (part of the sysinternals pstools suite) http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
* Run the below command, this should open up a new command window
psexec -i -s -d cmd.exe
* In that new command window run
rundll32 keymgr.dll,KRShowKeyMgr
* This will show the credentials stored by the SYSTEM account which may be what is locking other accounts out
John

I think it would be a lot easier simply to replace the user name
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
bankadmin

ASKER
Jess I tried the commands all went well until the last on and I got and error... Error in keymgr.dll Missing entry:KRShowkeymgr

John your right it would be but I need to find out what is causing this incase its a threat
John

I am not certain it is a threat (could be). I think it just got damaged.
bankadmin

ASKER
Jess sorry it is case sensitve I made a mistake... It did run and no entries in Stored User names and Passwords.
Experts Exchange is like having an extremely knowledgeable team sitting and waiting for your call. Couldn't do my job half as well as I do without it!
James Murphy
John

Some server setups seem to case sensitive. Not supposed to be, though.
bankadmin

ASKER
I did a registry search and the only thing that popped was a entry for our antivirus SMTP setup for email notifications I removed it and rebooted the account is still locking.. i also searched the local drives and nothing found related to the username
bankadmin

ASKER
i take that back one thing was found related to the name in C:\programdata\microsoft\user account pictures\domain+user.dat with 0KB in size I removed it and rebooted.. no change
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Shaun Vermaak

austin minor

Do you have any mobile devices that are connecting to your network using your network credentials?
Check your network drive mappings.
Cached email password can cause this as well.
Scheduled tasks, Services, application, etc..

https://www.experts-exchange.com/questions/29012626/AD-Account-lockout.html

http://expert-advice.org/active-directory/how-to-troubleshoot-account-lockout-in-active-directory/
bankadmin

ASKER
I did another test and that is I shut down the server that is locking out the account and I did not lock out during that 10 mins, then I booted it back up and I didn't logon to it, and I started getting locked out about 3-5 mins after it was at the ctrl+alt+delete screen. I still have not logged into the server so I would think that would eliminate mappings as causing the issue..
We do have a mobile app that I use for emails and I have changed the password and that is working well until the account locks.
Email doesn't run on the server in question
I have checked scheduled tasks--nothing associated with the usr
Services I manually went through everyone last night and the user is not associated with any
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Robert Retzer

Is the user logged on as a local user or on the domain?  when unlocking the user's account in AD is the same password associate with the email password.  ie if you unlock a users account on the server level does that affect their login password for accessing their email? If so if a user who is using a iphone for example did not change there password on the secondary device it could cause the account to lock out.
bankadmin

ASKER
Its domain and yes email is effected. The user changed the password in there phone app and it works until the server in question locks the account.
Robert Retzer

go to the control panel select credential manager and clear any of the credentials shown.  Then restart the computer have user log in and launch outlook it should be asking for the login credentials.  something is stuck with the old password. that is causing the system to lock out. Thats is why I asked about the phone... accessing email. But you already said you had the user change the password on the phone.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
bankadmin

ASKER
I got it down to its something in SQL that is doing it. Its not the service because it runs
bankadmin

ASKER
My account was a configured account in sql for logon permission but I removed that last week while troubleshooting.
Ganesamoorthy S

This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
bankadmin

ASKER
Thank you all for the posts it has been resolved.. It was a piece of software that runs on the server that I had logged onto with my local account for some reason it held onto my creds and was trying to authenticate with them. The app is tied into SQL which is why when I turned SQL off the lockouts stopped. We ended up bringing up process manager and comparing the lockout times to what was trying to run at the same time
ASKER CERTIFIED SOLUTION
bankadmin

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.