Juneaucounty
asked on
One user locked out over and over again. Not typing in the wrong password.
We have one user who keeps getting locked out of her account when trying to login to her computer. She can come in at the start of her shift, and she is locked out on her first try. The IT staff will unlock her, then a few hours later, we get a call from her that she is locked out again. We have rebuilt her profile on the local machine, still have the problem. We switched her to another machine, and she is still getting locked out. Over that last few weeks, we have tried having her call us before she logs in to check if she is locked out before she logs in. She is locked out and a few times, she isn't locked out, but then a few hours later, she is locked out. Changed her password, locked out using the new password after one try. I have also reinstalled Windows 10 and reinstalled all programs and files she needs on the off chance there is a program trying to login for her under an old password. This also did not fix the problem. We have checked event viewer and don't see under her username. We have also tried logging in for her using her credentials while she is standing there, and she will be locked out. This doesn't happen all of the time, but more likely than not it happens. Any help would be greatly appreciated.
Did she recently change her password?
Does she have a mobile device connected to Active sync?
When did this start happening? (Around he same time as password change)
Is she logged into another computer on the network that has an old cache password?
This is a good tool to use: https://www.microsoft.com/en-us/download/details.aspx?id=18465
Once you find the DC that has the event log in the security. Open that Event Viewer and look for an failure event around that time stamp.
Does she have a mobile device connected to Active sync?
When did this start happening? (Around he same time as password change)
Is she logged into another computer on the network that has an old cache password?
This is a good tool to use: https://www.microsoft.com/en-us/download/details.aspx?id=18465
Once you find the DC that has the event log in the security. Open that Event Viewer and look for an failure event around that time stamp.
i assume you scanned for virus and malware? if not, use these :
1- update the AV - and run a full scan
2-then run these :ttp://www.malwarebytes.org/mbam.php MBAM
3-http://majorgeeks.com/RogueKiller_d6983.html Roguekiller
4-http://www.lavasoft.com/ ADAWARE
5-http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/ JRT
1- update the AV - and run a full scan
2-then run these :ttp://www.malwarebytes.org/mbam.php MBAM
3-http://majorgeeks.com/RogueKiller_d6983.html Roguekiller
4-http://www.lavasoft.com/ ADAWARE
5-http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/ JRT
Follow my Account Lockout Investigation Process. Let me know if you have any questions.
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
ASKER
Do I put AD Audit Plus right on the Server or does it need to be ran from the local machine? I only ask because we switched her from one laptop to another laptop and we are still having the issue.
To answer some of the questions some of you have had. She has changed her password a few times since we have started investigating this process. I know this has been going on for some time now. He have scanned her laptop and we don't see any virus or malware. There isn't a smartphone/tablet that is using her account. She only has the laptop. Thank you for the help.
To answer some of the questions some of you have had. She has changed her password a few times since we have started investigating this process. I know this has been going on for some time now. He have scanned her laptop and we don't see any virus or malware. There isn't a smartphone/tablet that is using her account. She only has the laptop. Thank you for the help.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Check out the mobile phone/iPad/tablet if it tries to sync her mailbox - maybe it still uses the old password.
If this wouldn't help I suggest to give a try of the ADAudit Plus by ManageEngine. There is a trial version and this should tell you from which host the user tries to log in when it is using the wrong password.