User account locks out repeatedly on our network after password change

I have a user account that is locking out repeatedly every couple of mins I was able to track it down to a server on our network attempting to autheticate with the user account. There isnt any reason why this should be happening I went through every service on the server and the name is not associated with it in any way it started when the accounts password was changed. the logs dont give me much detail at all as to what service/process is trying to use that account I have ran malwarebytes on it and a couple of reg settings were flagged and I removed them our virus scans have not found anything either. Just to verify I did shut the server down after hours and the account did not lock until I started the server backup so its only this one device. Any ideas of what else to look for?
bankadminAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mal OsborneAlpha GeekCommented:
You COULD change the user name. Just add an x at the end or something. That would at least get them up and running again while you troubleshoot. With a different name, there will be no more lockouts.
0
bankadminAuthor Commented:
Thanks for the suggestion Im more concerned with what maybe locking it
0
Mal OsborneAlpha GeekCommented:
Any scheduled tasks that have been set up to run under that user?
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

bankadminAuthor Commented:
I have also verify no scheduled tasks are assigned to the user
0
JohnBusiness Consultant (Owner)Commented:
I would triple check viruses and malware, but not likely given your first post.

The account did not lock until I started the server backup so its only this one device.

That would point to a damaged user profile and I would just replace it.
0
Mal OsborneAlpha GeekCommented:
How about a search of the registry and file system for a text string corresponding to the user name? Would possibly take a while,  but might uncover something.
0
bankadminAuthor Commented:
The user in question doesnt logon to this server there is no folder with the username in c:\users. The user however does have an admin account and could have mistakenly used his user account for something but I do not see anything in cred manager
0
Mal OsborneAlpha GeekCommented:
Credentials for a backup agent?
0
bankadminAuthor Commented:
No that wouldnt be the case here
0
Mal OsborneAlpha GeekCommented:
Yeah, I would be trying to "brute force" with a registry and file system search for the user name. Chances seem pretty good that it will be there somewhere, maybe in a script, or .ini file or something.
0
Jess DodsonWindows System AdministratorCommented:
While it's not showing in the standard credential manager, it might be hidden - worth while checking the SYSTEM account store credentials:
* Download the psexec tool (part of the sysinternals pstools suite) http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
* Run the below command, this should open up a new command window
psexec -i -s -d cmd.exe
* In that new command window run
rundll32 keymgr.dll,KRShowKeyMgr
* This will show the credentials stored by the SYSTEM account which may be what is locking other accounts out
0
JohnBusiness Consultant (Owner)Commented:
I think it would be a lot easier simply to replace the user name
0
bankadminAuthor Commented:
Jess I tried the commands all went well until the last on and I got and error... Error in keymgr.dll Missing entry:KRShowkeymgr

John your right it would be but I need to find out what is causing this incase its a threat
0
JohnBusiness Consultant (Owner)Commented:
I am not certain it is a threat (could be). I think it just got damaged.
0
bankadminAuthor Commented:
Jess sorry it is case sensitve I made a mistake... It did run and no entries in Stored User names and Passwords.
0
JohnBusiness Consultant (Owner)Commented:
Some server setups seem to case sensitive. Not supposed to be, though.
0
bankadminAuthor Commented:
I did a registry search and the only thing that popped was a entry for our antivirus SMTP setup for email notifications I removed it and rebooted the account is still locking.. i also searched the local drives and nothing found related to the username
0
bankadminAuthor Commented:
i take that back one thing was found related to the name in C:\programdata\microsoft\user account pictures\domain+user.dat with 0KB in size I removed it and rebooted.. no change
0
Shaun VermaakTechnical Specialist/DeveloperCommented:
1
austin minorCommented:
Do you have any mobile devices that are connecting to your network using your network credentials?
Check your network drive mappings.
Cached email password can cause this as well.
Scheduled tasks, Services, application, etc..

https://www.experts-exchange.com/questions/29012626/AD-Account-lockout.html

http://expert-advice.org/active-directory/how-to-troubleshoot-account-lockout-in-active-directory/
0
bankadminAuthor Commented:
I did another test and that is I shut down the server that is locking out the account and I did not lock out during that 10 mins, then I booted it back up and I didn't logon to it, and I started getting locked out about 3-5 mins after it was at the ctrl+alt+delete screen. I still have not logged into the server so I would think that would eliminate mappings as causing the issue..
We do have a mobile app that I use for emails and I have changed the password and that is working well until the account locks.
Email doesn't run on the server in question
I have checked scheduled tasks--nothing associated with the usr
Services I manually went through everyone last night and the user is not associated with any
0
web_trackerComputer Service TechnicianCommented:
Is the user logged on as a local user or on the domain?  when unlocking the user's account in AD is the same password associate with the email password.  ie if you unlock a users account on the server level does that affect their login password for accessing their email? If so if a user who is using a iphone for example did not change there password on the secondary device it could cause the account to lock out.
0
bankadminAuthor Commented:
Its domain and yes email is effected. The user changed the password in there phone app and it works until the server in question locks the account.
0
web_trackerComputer Service TechnicianCommented:
go to the control panel select credential manager and clear any of the credentials shown.  Then restart the computer have user log in and launch outlook it should be asking for the login credentials.  something is stuck with the old password. that is causing the system to lock out. Thats is why I asked about the phone... accessing email. But you already said you had the user change the password on the phone.
0
bankadminAuthor Commented:
I got it down to its something in SQL that is doing it. Its not the service because it runs
0
bankadminAuthor Commented:
My account was a configured account in sql for logon permission but I removed that last week while troubleshooting.
0
Ganesamoorthy STech LeadCommented:
0
bankadminAuthor Commented:
Thank you all for the posts it has been resolved.. It was a piece of software that runs on the server that I had logged onto with my local account for some reason it held onto my creds and was trying to authenticate with them. The app is tied into SQL which is why when I turned SQL off the lockouts stopped. We ended up bringing up process manager and comparing the lockout times to what was trying to run at the same time
0
bankadminAuthor Commented:
Thank you all for the posts it has been resolved.. It was a piece of software that runs on the server that I had logged onto with my local account for some reason it held onto my creds and was trying to authenticate with them. The app is tied into SQL which is why when I turned SQL off the lockouts stopped. We ended up bringing up process manager and comparing the lockout times to what was trying to run at the same time
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.