Link to home
Create AccountLog in
Avatar of Juneaucounty
JuneaucountyFlag for United States of America

asked on

One user locked out over and over again. Not typing in the wrong password.

We have one user who keeps getting locked out of her account when trying to login to her computer.  She can come in at the start of her shift, and she is locked out on her first try.  The IT staff will unlock her, then a few hours later, we get a call from her that she is locked out again.  We have rebuilt her profile on the local machine, still have the problem.  We switched her to another machine, and she is still getting locked out.  Over that last few weeks, we have tried having her call us before she logs in to check if she is locked out before she logs in.  She is locked out and a few times, she isn't locked out, but then a few hours later, she is locked out.  Changed her password, locked out using the new password after one try.  I have also reinstalled Windows 10 and reinstalled all programs and files she needs on the off chance there is a program trying to login for her under an old password.  This also did not fix the problem.  We have checked event viewer and don't see under her username.  We have also tried logging in for her using her credentials while she is standing there, and she will be locked out.  This doesn't happen all of the time, but more likely than not it happens.  Any help would be greatly appreciated.
Avatar of Michal Ziemba
Michal Ziemba
Flag of Poland image

I had some similar issues a long time ago.
Check out the mobile phone/iPad/tablet if it tries to sync her mailbox - maybe it still uses the old password.
If this wouldn't help I suggest to give a try of the ADAudit Plus by ManageEngine. There is a trial version and this should tell you from which host the user tries to log in when it is using the wrong password.
Did she recently change her password?
Does she have a mobile device connected to Active sync?
When did this start happening? (Around he same time as password change)
Is she logged into another computer on the network that has an old cache password?

This is a good tool to use: https://www.microsoft.com/en-us/download/details.aspx?id=18465
Once you find the DC that has the event log in the security.  Open that Event Viewer and look for an failure event around that time stamp.
i assume you scanned for virus and malware?  if not, use these :
1- update the AV - and run a full scan
2-then run these :ttp://www.malwarebytes.org/mbam.php                         MBAM
3-http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller
4-http://www.lavasoft.com/                              ADAWARE
5-http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/        JRT
Follow my Account Lockout Investigation Process. Let me know if you have any questions.
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
Avatar of austin minor
austin minor

Start checking service, program, schedule task, etc..

Do you have mapped network drive?

Did you enable NTLM logging?

Follow this article to troubleshoot account lockout issue. Here is an informative article which can help you to find the cause and source of account lockout.
Avatar of Juneaucounty

ASKER

Do I put AD Audit Plus right on the Server or does it need to be ran from the local machine?  I only ask because we switched her from one laptop to another laptop and we are still having the issue.  

To answer some of the questions some of you have had.  She has changed her password a few times since we have started investigating this process.  I know this has been going on for some time now.  He have scanned her laptop and we don't see any virus or malware.  There isn't a smartphone/tablet that is using her account.  She only has the laptop.  Thank you for the help.
ASKER CERTIFIED SOLUTION
Avatar of yo_bee
yo_bee
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account