We help IT Professionals succeed at work.

One user locked out over and over again.  Not typing in the wrong password.

113 Views
Last Modified: 2019-05-13
We have one user who keeps getting locked out of her account when trying to login to her computer.  She can come in at the start of her shift, and she is locked out on her first try.  The IT staff will unlock her, then a few hours later, we get a call from her that she is locked out again.  We have rebuilt her profile on the local machine, still have the problem.  We switched her to another machine, and she is still getting locked out.  Over that last few weeks, we have tried having her call us before she logs in to check if she is locked out before she logs in.  She is locked out and a few times, she isn't locked out, but then a few hours later, she is locked out.  Changed her password, locked out using the new password after one try.  I have also reinstalled Windows 10 and reinstalled all programs and files she needs on the off chance there is a program trying to login for her under an old password.  This also did not fix the problem.  We have checked event viewer and don't see under her username.  We have also tried logging in for her using her credentials while she is standing there, and she will be locked out.  This doesn't happen all of the time, but more likely than not it happens.  Any help would be greatly appreciated.
Comment
Watch Question

Michal ZiembaIT Administrator
CERTIFIED EXPERT

Commented:
I had some similar issues a long time ago.
Check out the mobile phone/iPad/tablet if it tries to sync her mailbox - maybe it still uses the old password.
If this wouldn't help I suggest to give a try of the ADAudit Plus by ManageEngine. There is a trial version and this should tell you from which host the user tries to log in when it is using the wrong password.
yo_beeDirector of Information Technology
CERTIFIED EXPERT

Commented:
Did she recently change her password?
Does she have a mobile device connected to Active sync?
When did this start happening? (Around he same time as password change)
Is she logged into another computer on the network that has an old cache password?

This is a good tool to use: https://www.microsoft.com/en-us/download/details.aspx?id=18465
Once you find the DC that has the event log in the security.  Open that Event Viewer and look for an failure event around that time stamp.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
i assume you scanned for virus and malware?  if not, use these :
1- update the AV - and run a full scan
2-then run these :ttp://www.malwarebytes.org/mbam.php                         MBAM
3-http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller
4-http://www.lavasoft.com/                              ADAWARE
5-http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/        JRT
Shaun VermaakSenior Consultant
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Commented:
Follow my Account Lockout Investigation Process. Let me know if you have any questions.
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
Start checking service, program, schedule task, etc..

Do you have mapped network drive?

Did you enable NTLM logging?

Follow this article to troubleshoot account lockout issue. Here is an informative article which can help you to find the cause and source of account lockout.

Author

Commented:
Do I put AD Audit Plus right on the Server or does it need to be ran from the local machine?  I only ask because we switched her from one laptop to another laptop and we are still having the issue.  

To answer some of the questions some of you have had.  She has changed her password a few times since we have started investigating this process.  I know this has been going on for some time now.  He have scanned her laptop and we don't see any virus or malware.  There isn't a smartphone/tablet that is using her account.  She only has the laptop.  Thank you for the help.
Director of Information Technology
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION