Link to home
Start Free TrialLog in
Avatar of nav2567
nav2567Flag for United States of America

asked on

AD account is being locked daily.


I have a user whose AD account keeps being locked.  I have checked her desktop and I do not see any Windows Services or scheduled task running under her account.  Besides her desktop, she does not use any tablet to access her email.  I am not sure what else to check.  

In the interim, I can only configure her account not to require any kerberos preauthentication.  Otherwise, her account will be auto locked every day.  

Please advise if someone has an idea.  

Our domain controller is running on Windows Server 2012.

Avatar of Hello There
Hello There

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
If you can't track down the root cause through an investigation of the event logs, check Windows cached credentials in any virtual machines, VDIs, and workstations.  Remove the account on their mobile device(s).  Recreate all mapped drives.

I agree with the comment from Hello There.

If the user is not using any other systems or end points which can be a probable candidate of cached password, then it might be an attack happening from internal or external. The logic to be used is simple.
1) Multiple authentication request is coming to DC with incorrect password
2) After the bad passord threshold, Account gets locked out
3) The DC holding PDC Emulator role will have an event logged at this time - Event ID 4740
4) On PDC, Filter the Security Event for 4740. Have a look if multiple accounts are getting locked out or if its just one account
5) Look for the caller computer on all the event log with respect to the specific user who is having issue
6) If the caller computer is the same for all lockout events - then you need to start isolating this specific computer
7) If the caller computer is same as the actual end user computer - it may be a case of a cached password. Need further investigation on that endpoint. An old password configured on cached password inside browser, file share or even a thick application which has the option to save password all are potential cause.
8) If the caller computer is not the same computer which end user is using - then its getting a differnet dimension.
9) The next step is to identify if the caller computer is a known computer or an unknown computer. If its a known computer - you need to start investegating whats happning or what application is running (if its a server).
10) If its an unknown computer - then its getting further complex. Now, you need to enable NETLOGON debug logging on all domain controllers so that all authentication requests are logged to the maximum detail including the IP, MAC address from where request is coming
11) For the next lockout, Start looking at the netlogon log on the domain controller where lockout happend.
12) Get the network team involved. Isolate the port from where that mac address is connected. Start investagiting around that asset.

Good luck !
Avatar of nav2567


Thanks, everyone!