One user locked out over and over again.  Not typing in the wrong password.

Juneaucounty
Juneaucounty used Ask the Experts™
on
We have one user who keeps getting locked out of her account when trying to login to her computer.  She can come in at the start of her shift, and she is locked out on her first try.  The IT staff will unlock her, then a few hours later, we get a call from her that she is locked out again.  We have rebuilt her profile on the local machine, still have the problem.  We switched her to another machine, and she is still getting locked out.  Over that last few weeks, we have tried having her call us before she logs in to check if she is locked out before she logs in.  She is locked out and a few times, she isn't locked out, but then a few hours later, she is locked out.  Changed her password, locked out using the new password after one try.  I have also reinstalled Windows 10 and reinstalled all programs and files she needs on the off chance there is a program trying to login for her under an old password.  This also did not fix the problem.  We have checked event viewer and don't see under her username.  We have also tried logging in for her using her credentials while she is standing there, and she will be locked out.  This doesn't happen all of the time, but more likely than not it happens.  Any help would be greatly appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Michal ZiembaIT Administrator

Commented:
I had some similar issues a long time ago.
Check out the mobile phone/iPad/tablet if it tries to sync her mailbox - maybe it still uses the old password.
If this wouldn't help I suggest to give a try of the ADAudit Plus by ManageEngine. There is a trial version and this should tell you from which host the user tries to log in when it is using the wrong password.
yo_beeDirector of Information Technology

Commented:
Did she recently change her password?
Does she have a mobile device connected to Active sync?
When did this start happening? (Around he same time as password change)
Is she logged into another computer on the network that has an old cache password?

This is a good tool to use: https://www.microsoft.com/en-us/download/details.aspx?id=18465
Once you find the DC that has the event log in the security.  Open that Event Viewer and look for an failure event around that time stamp.
Top Expert 2013

Commented:
i assume you scanned for virus and malware?  if not, use these :
1- update the AV - and run a full scan
2-then run these :ttp://www.malwarebytes.org/mbam.php                         MBAM
3-http://majorgeeks.com/RogueKiller_d6983.html                  Roguekiller
4-http://www.lavasoft.com/                              ADAWARE
5-http://www.bleepingcomputer.com/download/junkware-removal-tool/dl/131/        JRT
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Follow my Account Lockout Investigation Process. Let me know if you have any questions.
https://www.experts-exchange.com/articles/29305/Active-Directory-Locked-Account-Investigation-Process.html
Start checking service, program, schedule task, etc..

Do you have mapped network drive?

Did you enable NTLM logging?

Follow this article to troubleshoot account lockout issue. Here is an informative article which can help you to find the cause and source of account lockout.

Author

Commented:
Do I put AD Audit Plus right on the Server or does it need to be ran from the local machine?  I only ask because we switched her from one laptop to another laptop and we are still having the issue.  

To answer some of the questions some of you have had.  She has changed her password a few times since we have started investigating this process.  I know this has been going on for some time now.  He have scanned her laptop and we don't see any virus or malware.  There isn't a smartphone/tablet that is using her account.  She only has the laptop.  Thank you for the help.
Director of Information Technology
Commented:
You need to use the event logs from your DC to see what IP address is the triggering point. It maybe the laptop or could be generated from a server. Without narrowing this down it will be looking for a needle in a haystack.

There are plenty of links in this thread pointing you to methods to isolate the issue.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial