Link to home
Start Free TrialLog in
Avatar of Eric Hoeberlein
Eric HoeberleinFlag for United States of America

asked on

Account Getting Locked Out From Non-Domain PC

I have a weird one and i'm not sure where to go from here.  My account has been getting locked out of our AD controller constantly.  I tracked it down to my SpiceWorks Server (SW-Server) that has been the cause and i have been unable to find where in the server the old credential is cached.

Today i just got another PC and did a fresh load on it.  The original server was joined to the domain and using my user account for the login that SpiceWorks was loaded into.  The new server i just kept as a local user and is not joined to the domain.  I figured since its off the domain there cant be a way for it to lock my account out.  Guess i was wrong.  In the event logs (which are attached) its showing now that Spice-Server is locking my account.

This new server is not joined to the domain so i dont know how it could be reaching out and using my credentials (wrong ones) to lock out my account.  The only thing installed on the PC is the Spiceworks desktop and the restored database from the old Server.  We have Office365 so the SpiceWorks install is reaching to Office365 for the ticket emails not a local hosted exchange. I checked the Spiceworks service and it using the local user account not a domain one.

Attached is the event log from the old server and the new server.  Can anyone help me to figure out how its still locking me out.

Thanks in advance
SW-Server-Log.JPG
Spice-Server-Log.JPG
Avatar of Brian B
Brian B
Flag of Canada image

Check the services. The spiceworks service may be using your credientials.
Avatar of Eric Hoeberlein

ASKER

I checked it and it’s got the local user account “sudouser” that I configured the pc with.  it’s just a brand new load with a local user account and nothing loaded on except for the Spiceworks desktop application
Make sure that "Spice-Server" in DNS is pointed to the correct IP address first of all.  We had an issue where when we would RDP into a specific server, it actually wasn't the correct one since the static entries in DNS were wrong.

If it is correct, look at mapped drives and scheduled tasks to make sure your account isn't used on any of those.
I checked and since its not joined to the domain there are no mapped drives.  Tasks has 3, 2 for Google Drive (which is what i use to backup the database) and one for OneDrive which was brought in by Windows as part of the operating system i assume since i have not installed Office on the PC.  All 3 tasks use either the "system" or "sudouser" (the local account i made) for there credentials.
Tasks-and-Drives.JPG
In DNS there was still a entry for SW-Server pointing to its .24 IP.  The new server is also at .24 so i removed the old entry.  I see no entry for the new server Spice-Server but its is still resolving the host name when i ping Spice-Server to .24 somehow without an entry present.
Make sure to do an ipconfig /flushdns and ipconfig /registerdns after removing the entry.

Be sure to check your host file as well and make sure the entry isn't in there.
From that server, try and connect to something that requires your domain credentials. Thinking that if your information is cached in there somewhere, this will at least update it and stop your account from getting locked constantly while you troubleshoot.

While we are thinking of that, have you used your credentials to log on to anything from this server already? There could be an old link floating around in a shortcut or something.
I should clarify, im calling at a server but its a Windows 10 Workstation.  When i try to connect to the AD Server from the SpiceWorks box it asks for credentials and does not open up the server resources automatically.  I have not logged into anything from the PC other then websites, its only been up and running for 3 hours.  Only thing i have done to it was to 1.  Create a local user admin account during the windows install 2. Install Spiceworks Desktop and Google Drive and 3. restore the Spiceworks database backup from my old server to the new one.  Aside from that its just a regular Windows 10 box that is not joined to the domain.  Its just getting its DHCP reservation from the server and thats it.  I have run the flushdns and registerdns on the box just now.  It logs the account logout error in the server event viewer every 15 minutes so it wont be long still i know if that fixed it.
Server-Connect.JPG
I didn't think DNS would have any affect. However, when you try and access a domain resource, try and connect with your credentials lie I mentioned. This will tell us if it CAN work and also properly update any cached settings related to your account.
I connected via UNC to SRCC-AD1 (our AD server) and it prompted for credentials.  I entered my domain user account and it did authenticate and show me the server resources.
Great! Now monitor to see if the account lockout problem goes away.
So i let it sit over the weekend and this morning the server logs show that im still being locked out every 15 minutes from the Spiceworks PC.
Alright, you are going to have to go a lower level then. We are going to have to review all the processes. If you already checked all the services, the next step is try running in safe mode with network and see if the problem goes away.
Just rebooted into safe mode with networking.  Ill give it an hour and let you know if its still locking the account out.  Thanks
It's been about an hour in safe mode and it has not locked the account out.  The Spiceworks service is not running at the moment.
Okay. So this probably means there is something third party causing the problem. Have a look at the MSCONFIG tool to start the system with limited services running. Basically e are trying to narrow down the problem to a specific area.
I have disabled everything in startup and stopped the SpiceWorks service to see if the lockout stops.  Other than Google Drive and Spiceworks there is nothing else installed on this Windows 10 PC.  Ill update shortly as it locks out every 15 minutes like clockwork.
Since i stopped the Spiceworks service the account lock out has stopped.  I just don't know what in Spiceworks could have the credential cached, the service is running with the local user account so it not that.
ASKER CERTIFIED SOLUTION
Avatar of Eric Hoeberlein
Eric Hoeberlein
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial