Domain account keeps locking itself out.....and unlocking....

[R.O.S.S.I]

Hi all, having a weird problem with one user on our domain. Her account locks itself out several times a day and I can't suss out what the problem is.

I've downloaded the Microsoft Account lockout tool which shows the account locked out but doesn't give me any pointers to what is causing it to lock.

I also downloaded the Netwrix Account Lockout Examiner software which is also showing the account locking out and I've set it up to send me an email alert when it does so but the examiner software doesnt give me any clues as to what is locking it out.

Anyone know the best way of sussing this out as its driving me mad. I've followed some of MS's guidelines and advice on their forums....

There may be many other causes for account locked out.
•user's account in stored user name and passwords
•user's account tied to persistent mapped drive
•user's account as a service account
•user's account used as an IIS application pool identity
•user's account tied to a scheduled task
•un-suspending a virtual machine after a user's pw as changed
•A SMARTPHONE!!!
•could be a virus issue.

But I still haven't got to the bottom of what it is. The weird thing is is that it will unlock itsself aswell which leads me to think its something trying to authenticate multiple times at once but I can't pinpoint what!

 

[R.O.S.S.I]

Its Windows 7 and ive checked the User Accounts in Control Panel, theres no stored credentials that I can see!

 

[R.O.S.S.I]

hi all. to answer some of the above points.....

the user only sits at one desk and doesnt move around.

On the MS util and the Netwrix util it is showing that she is being locked out from her machine and her machine only.

The user doesn't have admin rights no, she has a standard user account. This happens several times daily. There are no odd logon times specified and i have searched the security logs for 4740 which told me what I already knew - that the lockouts were coming from her machine.

This isn't a replication issue either as we only have one DC.

Short of formatting her machine and starting again is there anything I can do? The computer has standard software installed so just Office, Adobe and ESET AV, I've looked through the services and can't see anything that is set to run on her user account.

 

[R.O.S.S.I]

Question, has she changed her password recently? Might be worth changing her password back to what it was before to see if that resolves the issue. At least that will get her off your back for a while until you can pinpoint what application is the cause.

She hasn't to the best of my knowledge but this has been happening for quite a few weeks now but i've only just got round to trying to get it fixed once and for all!

As mentioned earlier, use the lockout tool to find which DC is locking the account out. Go to the security logs on the DC for the exact time the lockout occurs - you'll find the IP address of the computer that's causing the lockout - it could be any of the reasons already stated so you need to find which machine is causing it.

On our domain 9/10 times the user has logged on to another PC (either physically or via RDP) and left it logged in - when the password expires or they change it the lockouts start.

The account unlocking itself will occur on most domains unless the domain policy is changed, I think the default is to unlock locked accounts after 30minutes.

I already know which machine it is coming from confirmed by both the security logs on the DC, the MS Account Lockout Tool and the Netwrix software, however I'm not sure what is causing it to occur on the machine.

tryed re-profiling the user account? if other users use the pc do they get locked out?
any toolbars installed?
akamai netsession installed or similar?

tried process explorer to see whats running?

covenantuk, please see previouse posts for information

No I haven't reprofiled her account yet was seeing if I could sort it out before doing that! Not sure if anyone else gets lockouts as no one else uses that machine! I'll check for toolbars but to the best of my knowledge there shouldn't be.

 

[R.O.S.S.I]

You ninja'd me there. I would also check drive mappings, I wouldn't put it past a helpdesk womble to tell a user to a map drive manually and just store up the problem for later.

I fully expect it to be something like this, but it may need some tracking down.

What OS is she running?

I disconnected all drive mappings in case that was the cause but it was still occurring. Windows 7!

 

[R.O.S.S.I]

The frequency of lockouts is of less interest than the frequency of each individual bad logon attempt. Once per hour is more likely to be an app trying to auto-update. Random timeframes is probably something which the end-user is initiating, so perhaps a saved cred in an app somewhere.

I usually manage to find the offending application/saved credential. Here is a list I posted earlier. Add the Akamai NetSession service (part of AutoCAD, in our case) to that list.

Are bad logons attempted while she is logged off? That can lean towards a service causing the locks. Leave the PC turned on to find out - disable sleep timers. Or, if you can VPN to your workplace now, WOL it and see if it locks her account out now while she's not logged on.

Is a bad logon attempted the instant the desktop loads (application settings, particularly proxy)? Or during the logon process (drive mappings, desktop shortcuts, saved credentials)? Or 10 minutes after the desktop is loaded (saved credentials in user-session app auto-update tools, perhaps proxy creds again)?

If you don't have client security logging enabled by GPO, you can enable it locally via secpol.msc


This is a disaster waiting to happen. Get another DC, stat. Even a spare desktop PC running a Server OS will do, until you can get server-class hardware.

We are only a small organisation with about 40 users. Historically we've only had 1 DC in the server farm but it's been on my list of things to do for a while but it's not a priority at the moment.

I'm trying to iron out some other issues before I deploy a second DC.

 

[R.O.S.S.I]

I have asked her if she has tied her email to her phone and she assures me she hasn't.

It could be Exchange/Outlook, however I've already rebuilt her Exzchange profile once to check.

I literally notice it happening within about 10 mins of her being logged in so it could be related to Outlook. I'm going to go take a look in a sec but it must be some software/service on that specific machine as she has been over at our other office this morning and logged on through terminal services and isn't having a problem!

 

[R.O.S.S.I]

New user profile then if that doesn't work rebuild the PC, issues like this are simply not time efficient to fix you have already wasted more time than a rebuild would take.

True, going to give her a new user profile tomorrow and if it carries on machine is getting wiped!

 

[R.O.S.S.I]

Well the funny thing is is that it hasn't happened since I did some 'fiddling', not quite sure what has rectified the issue though haha. Will keep my fingers crossed it doesn't happen again.