Link to home
Start Free TrialLog in
Avatar of bankadmin
bankadminFlag for United States of America

asked on

User account locks out repeatedly on our network after password change

I have a user account that is locking out repeatedly every couple of mins I was able to track it down to a server on our network attempting to autheticate with the user account. There isnt any reason why this should be happening I went through every service on the server and the name is not associated with it in any way it started when the accounts password was changed. the logs dont give me much detail at all as to what service/process is trying to use that account I have ran malwarebytes on it and a couple of reg settings were flagged and I removed them our virus scans have not found anything either. Just to verify I did shut the server down after hours and the account did not lock until I started the server backup so its only this one device. Any ideas of what else to look for?
Avatar of Mal Osborne
Mal Osborne
Flag of Australia image

You COULD change the user name. Just add an x at the end or something. That would at least get them up and running again while you troubleshoot. With a different name, there will be no more lockouts.
Avatar of bankadmin

ASKER

Thanks for the suggestion Im more concerned with what maybe locking it
Any scheduled tasks that have been set up to run under that user?
I have also verify no scheduled tasks are assigned to the user
I would triple check viruses and malware, but not likely given your first post.

The account did not lock until I started the server backup so its only this one device.

That would point to a damaged user profile and I would just replace it.
How about a search of the registry and file system for a text string corresponding to the user name? Would possibly take a while,  but might uncover something.
The user in question doesnt logon to this server there is no folder with the username in c:\users. The user however does have an admin account and could have mistakenly used his user account for something but I do not see anything in cred manager
Credentials for a backup agent?
No that wouldnt be the case here
Yeah, I would be trying to "brute force" with a registry and file system search for the user name. Chances seem pretty good that it will be there somewhere, maybe in a script, or .ini file or something.
While it's not showing in the standard credential manager, it might be hidden - worth while checking the SYSTEM account store credentials:
* Download the psexec tool (part of the sysinternals pstools suite) http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
* Run the below command, this should open up a new command window
psexec -i -s -d cmd.exe
* In that new command window run
rundll32 keymgr.dll,KRShowKeyMgr
* This will show the credentials stored by the SYSTEM account which may be what is locking other accounts out
I think it would be a lot easier simply to replace the user name
Jess I tried the commands all went well until the last on and I got and error... Error in keymgr.dll Missing entry:KRShowkeymgr

John your right it would be but I need to find out what is causing this incase its a threat
I am not certain it is a threat (could be). I think it just got damaged.
Jess sorry it is case sensitve I made a mistake... It did run and no entries in Stored User names and Passwords.
Some server setups seem to case sensitive. Not supposed to be, though.
I did a registry search and the only thing that popped was a entry for our antivirus SMTP setup for email notifications I removed it and rebooted the account is still locking.. i also searched the local drives and nothing found related to the username
i take that back one thing was found related to the name in C:\programdata\microsoft\user account pictures\domain+user.dat with 0KB in size I removed it and rebooted.. no change
Avatar of austin minor
austin minor

Do you have any mobile devices that are connecting to your network using your network credentials?
Check your network drive mappings.
Cached email password can cause this as well.
Scheduled tasks, Services, application, etc..

https://www.experts-exchange.com/questions/29012626/AD-Account-lockout.html

http://expert-advice.org/active-directory/how-to-troubleshoot-account-lockout-in-active-directory/
I did another test and that is I shut down the server that is locking out the account and I did not lock out during that 10 mins, then I booted it back up and I didn't logon to it, and I started getting locked out about 3-5 mins after it was at the ctrl+alt+delete screen. I still have not logged into the server so I would think that would eliminate mappings as causing the issue..
We do have a mobile app that I use for emails and I have changed the password and that is working well until the account locks.
Email doesn't run on the server in question
I have checked scheduled tasks--nothing associated with the usr
Services I manually went through everyone last night and the user is not associated with any
Is the user logged on as a local user or on the domain?  when unlocking the user's account in AD is the same password associate with the email password.  ie if you unlock a users account on the server level does that affect their login password for accessing their email? If so if a user who is using a iphone for example did not change there password on the secondary device it could cause the account to lock out.
Its domain and yes email is effected. The user changed the password in there phone app and it works until the server in question locks the account.
go to the control panel select credential manager and clear any of the credentials shown.  Then restart the computer have user log in and launch outlook it should be asking for the login credentials.  something is stuck with the old password. that is causing the system to lock out. Thats is why I asked about the phone... accessing email. But you already said you had the user change the password on the phone.
I got it down to its something in SQL that is doing it. Its not the service because it runs
My account was a configured account in sql for logon permission but I removed that last week while troubleshooting.
Thank you all for the posts it has been resolved.. It was a piece of software that runs on the server that I had logged onto with my local account for some reason it held onto my creds and was trying to authenticate with them. The app is tied into SQL which is why when I turned SQL off the lockouts stopped. We ended up bringing up process manager and comparing the lockout times to what was trying to run at the same time
ASKER CERTIFIED SOLUTION
Avatar of bankadmin
bankadmin
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial