Domain account keeps locking itself out.....and unlocking....

[R.O.S.S.I]

Hi all, having a weird problem with one user on our domain. Her account locks itself out several times a day and I can't suss out what the problem is.

I've downloaded the Microsoft Account lockout tool which shows the account locked out but doesn't give me any pointers to what is causing it to lock.

I also downloaded the Netwrix Account Lockout Examiner software which is also showing the account locking out and I've set it up to send me an email alert when it does so but the examiner software doesnt give me any clues as to what is locking it out.

Anyone know the best way of sussing this out as its driving me mad. I've followed some of MS's guidelines and advice on their forums....

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
•could be a virus issue.

But I still haven't got to the bottom of what it is. The weird thing is is that it will unlock itsself aswell which leads me to think its something trying to authenticate multiple times at once but I can't pinpoint what!

 

[#Chri5#]

What OS for the user? I have a memory of having an XP PC that had a stored set of user credentials (for the domain). IIRC it was buried away via User Accounts in Control Panel (Stored User Names?)

 

[R.O.S.S.I]

Its Windows 7 and ive checked the User Accounts in Control Panel, theres no stored credentials that I can see!

 

[LostCorpse]

some simple questions, have they logged in anywear else recently or do they move around often?


have you looked at the event logs on the server that first reported the lock out it should give you some pointers to which pc its being locked out from. prob most important isue which pc is creating the issue

i had a similar issue were i'd left my self logged in and left MS Lync running changed my password over a weekend and bam 5 time in one day my account was locked couldnt work out were it was comming from untill we looked at some server logs. could be quit hard if you have a lot of users

also another though do they have admin rights? wondering if something has been installed that remebers her login details and is trying to authentic could be some adware/spyware/viri stuff also..

 

[El Pew]

You could look at the logon times that the user is allowed to access the system - someone might have done something daft like deny them logon rights at certain hours of the day, although IIRC the error message you get is 'not allowed to log on at this time' or something similar, not account disabled.

You might also want to look at the replication of your DCs - she may be locked out on one DC, but not on another, and if replication is knackered the behaviour will depend upon which DC she is hitting at the time.

 

[Swarfega]

Search your DC's Security logs for event ID 4740.

 

[Little_Crow]

The account lock out tools will definitely help you in this case, but you haven't really explained how you've used it.

> Run 'LockoutStatus' to confirm they are locked.
> Run 'EventCombMT' enter your domain and use the 'account lockouts' built in report.

Look through the generated reports (there will be one for each DC with a lockout event listed) for the username, and it will tell you what machine the logins are coming from that has caused the lockout.

Armed with this you'd be looking for services on that machine that are running under that username, or even just an open terminal services session

 

[R.O.S.S.I]

hi all. to answer some of the above points.....

the user only sits at one desk and doesnt move around.

On the MS util and the Netwrix util it is showing that she is being locked out from her machine and her machine only.

The user doesn't have admin rights no, she has a standard user account. This happens several times daily. There are no odd logon times specified and i have searched the security logs for 4740 which told me what I already knew - that the lockouts were coming from her machine.

This isn't a replication issue either as we only have one DC.

Short of formatting her machine and starting again is there anything I can do? The computer has standard software installed so just Office, Adobe and ESET AV, I've looked through the services and can't see anything that is set to run on her user account.

 

[Terrier_Jimlad]

Hope you put fake info in the Netwrix trial because their salesman who ring you afterwards are a set of ***** and they pass your info on, terrible company.

Do you have a web proxy that uses LDAP authentication? Thats where half of our lock outs come from, users ticking the save user/pass option in IE.

 

[Little_Crow]

Do you have a web proxy that uses LDAP authentication? Thats where half of our lock outs come from, users ticking the save user/pass option in IE.

You ninja'd me there. I would also check drive mappings, I wouldn't put it past a helpdesk womble to tell a user to a map drive manually and just store up the problem for later.

I fully expect it to be something like this, but it may need some tracking down.

What OS is she running?

 

[Swarfega]

Question, has she changed her password recently? Might be worth changing her password back to what it was before to see if that resolves the issue. At least that will get her off your back for a while until you can pinpoint what application is the cause.

 

[covenantuk]

As mentioned earlier, use the lockout tool to find which DC is locking the account out. Go to the security logs on the DC for the exact time the lockout occurs - you'll find the IP address of the computer that's causing the lockout - it could be any of the reasons already stated so you need to find which machine is causing it.


On our domain 9/10 times the user has logged on to another PC (either physically or via RDP) and left it logged in - when the password expires or they change it the lockouts start.

The account unlocking itself will occur on most domains unless the domain policy is changed, I think the default is to unlock locked accounts after 30minutes.

 

[LostCorpse]

tryed re-profiling the user account? if other users use the pc do they get locked out?
any toolbars installed?
akamai netsession installed or similar?

tried process explorer to see whats running?

covenantuk, please see previouse posts for information

 

[R.O.S.S.I]

Question, has she changed her password recently? Might be worth changing her password back to what it was before to see if that resolves the issue. At least that will get her off your back for a while until you can pinpoint what application is the cause.

She hasn't to the best of my knowledge but this has been happening for quite a few weeks now but i've only just got round to trying to get it fixed once and for all!

As mentioned earlier, use the lockout tool to find which DC is locking the account out. Go to the security logs on the DC for the exact time the lockout occurs - you'll find the IP address of the computer that's causing the lockout - it could be any of the reasons already stated so you need to find which machine is causing it.

On our domain 9/10 times the user has logged on to another PC (either physically or via RDP) and left it logged in - when the password expires or they change it the lockouts start.

The account unlocking itself will occur on most domains unless the domain policy is changed, I think the default is to unlock locked accounts after 30minutes.

I already know which machine it is coming from confirmed by both the security logs on the DC, the MS Account Lockout Tool and the Netwrix software, however I'm not sure what is causing it to occur on the machine.

tryed re-profiling the user account? if other users use the pc do they get locked out?
any toolbars installed?
akamai netsession installed or similar?

tried process explorer to see whats running?

covenantuk, please see previouse posts for information

No I haven't reprofiled her account yet was seeing if I could sort it out before doing that! Not sure if anyone else gets lockouts as no one else uses that machine! I'll check for toolbars but to the best of my knowledge there shouldn't be.

 

[R.O.S.S.I]

You ninja'd me there. I would also check drive mappings, I wouldn't put it past a helpdesk womble to tell a user to a map drive manually and just store up the problem for later.

I fully expect it to be something like this, but it may need some tracking down.

What OS is she running?

I disconnected all drive mappings in case that was the cause but it was still occurring. Windows 7!

 

[smargh]

The frequency of lockouts is of less interest than the frequency of each individual bad logon attempt. Once per hour is more likely to be an app trying to auto-update. Random timeframes is probably something which the end-user is initiating, so perhaps a saved cred in an app somewhere.

I usually manage to find the offending application/saved credential. Here is a list I posted earlier. Add the Akamai NetSession service (part of AutoCAD, in our case) to that list.

Are bad logons attempted while she is logged off? That can lean towards a service causing the locks. Leave the PC turned on to find out - disable sleep timers. Or, if you can VPN to your workplace now, WOL it and see if it locks her account out now while she's not logged on.

Is a bad logon attempted the instant the desktop loads (application settings, particularly proxy)? Or during the logon process (drive mappings, desktop shortcuts, saved credentials)? Or 10 minutes after the desktop is loaded (saved credentials in user-session app auto-update tools, perhaps proxy creds again)?

If you don't have client security logging enabled by GPO, you can enable it locally via secpol.msc

This isn't a replication issue either as we only have one DC.

This is a disaster waiting to happen. Get another DC, stat. Even a spare desktop PC running a Server OS will do, until you can get server-class hardware.

 

[R.O.S.S.I]

The frequency of lockouts is of less interest than the frequency of each individual bad logon attempt. Once per hour is more likely to be an app trying to auto-update. Random timeframes is probably something which the end-user is initiating, so perhaps a saved cred in an app somewhere.

I usually manage to find the offending application/saved credential. Here is a list I posted earlier. Add the Akamai NetSession service (part of AutoCAD, in our case) to that list.

Are bad logons attempted while she is logged off? That can lean towards a service causing the locks. Leave the PC turned on to find out - disable sleep timers. Or, if you can VPN to your workplace now, WOL it and see if it locks her account out now while she's not logged on.

Is a bad logon attempted the instant the desktop loads (application settings, particularly proxy)? Or during the logon process (drive mappings, desktop shortcuts, saved credentials)? Or 10 minutes after the desktop is loaded (saved credentials in user-session app auto-update tools, perhaps proxy creds again)?

If you don't have client security logging enabled by GPO, you can enable it locally via secpol.msc


This is a disaster waiting to happen. Get another DC, stat. Even a spare desktop PC running a Server OS will do, until you can get server-class hardware.

We are only a small organisation with about 40 users. Historically we've only had 1 DC in the server farm but it's been on my list of things to do for a while but it's not a priority at the moment.

I'm trying to iron out some other issues before I deploy a second DC.

 

[Little_Crow]

I disconnected all drive mappings in case that was the cause but it was still occurring. Windows 7!

Fire up a command prompt and run 'net use' just in case there is something sticking around not shown in the gui.
Might be worth checking java, as there are some proxy authentication settings in there.

I think you're nearing the point where you'll have to rename her profile and try again. It'll certainly be less hassle than rebuilding the machine.

 

[covenantuk]

Also check if the PC is running tools from the maufacturer. Often fingerpint scanners, drive encryption etc fail to sync and can cause lockouts.

 

[Meekal]

Is the domain account linked to an Exchange Email account? We have had a few users who set up their email on their phone, and once the password is changed once, they forget to change on their mobile device and this locks them out constantly as the mail server is receiving the incorrect credentials. I know you have said it is locking the user out from their computer, but could it be the case that the is connected to the mail client and causing the same sort of error?