CISS
asked on
Domain Account getting locked out
We have a domain user account being locked out every few minutes after a password reset a few weeks ago (turns out we may have reset the password to what it was previously set as. IE, password was Example123 and we set it to Example123...not sure if this matters.) . I've looked in the event viewer but the only information it seems to give is that the DC is what triggered the lockout and not the device/pc that's using the wrong information to log in. Is there a way to track this information down?
I've looked at the audit failure event viewer logs but im not sure these are the right errors i should be looking at. Meaning, the audit successes mostly show the user that logged in. The failures seem to just be showing System. The times also don't line up with when we've unlocked and watched the account get locked.
i've started netlogon logging to capture the event
[CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlag s: 1761 (may be legitimate for 0xc0000234) is what i found in those logs,
When i got this error i cleared the credentials on this users primary PC but they do move around to different sites (same domain) frequently. We've also removed email from their home PC and their phone.
Most PCs are Windows 7 and Server 2008 on the DC
Thank you for any suggestions!
I've looked at the audit failure event viewer logs but im not sure these are the right errors i should be looking at. Meaning, the audit successes mostly show the user that logged in. The failures seem to just be showing System. The times also don't line up with when we've unlocked and watched the account get locked.
i've started netlogon logging to capture the event
[CRITICAL] NlPrintRpcDebug: Couldn't get EEInfo for I_NetLogonSamLogonWithFlag
When i got this error i cleared the credentials on this users primary PC but they do move around to different sites (same domain) frequently. We've also removed email from their home PC and their phone.
Most PCs are Windows 7 and Server 2008 on the DC
Thank you for any suggestions!
Could try a MS tool to find where or which DC is locking out the acoount.
See:
https://www.microsoft.com/en-ca/download/details.aspx?id=18465
See:
https://www.microsoft.com/en-ca/download/details.aspx?id=18465
Sounds like a service was installed under the admin account and the credentials were used. For example, you buy Backup123 and install it. In order for it to work you have to provide an administrator account for it to run services. If the admin account was used and the password changed you will get locked out as the service tries to authenticate with the app.
Go to Services and click on "Log On As" and scroll down to see if you see the administrator account used with any of the services. If so update the password and select reset.
Also make sure the password is set to never expire if you find the administrator account being used.
Go to Services and click on "Log On As" and scroll down to see if you see the administrator account used with any of the services. If so update the password and select reset.
Also make sure the password is set to never expire if you find the administrator account being used.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you all for your help! The link posted by Shaun is incredibly helpful! Ended up setting the Group Policy Lockout to the settings recommended in that article. So far the account it not getting locked out. Going to use the rest of the steps to try and track down the cause.
Try clearing credentials in PC.
Control Panel
User Accounts
on the left Manage your credentials
Remove or edit all credentials linked to outlook "MS.Outlook"