Incredibly weird issue, Win 7 account locked out

CLAWS

CLAWS

CLAWS

Associate
Joined
13 Jun 2005
Posts
1,416
Location
West Midlands
Hi folks,

Ill dive straight in with this one as Ive been working on it since 9am today, with little progress.

I have USER A who's account locks out without them even being logged into their machine. The user changed their password yesterday as per company policy and since then it keeps locking out after 3-5 minutes.

Platform - WIN 7 Pro 64 Bit
Server - Win Server 2008 R2 Standard


I have done the following -

Cleared credential manager - NO DIFFERENCE
Reset IE and cleared personal details during reset - NO DIFFERENCE
Tested by logging onto another machine - NO JOY
Recreated their login profile - NO DIFFERENCE
Checked for logged on terminal services accounts - NONE LOGGED IN
Connected devices ie. iPad, iPhone, Android - NONE

I have checked on our DC's and have found the following -

- System

- Provider

[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4776

Version 0

Level 0

Task 14336

Opcode 0

Keywords 0x8010000000000000

- TimeCreated

[ SystemTime] 2014-01-14T12:43:53.301501000Z

EventRecordID 2042599718

Correlation

- Execution

[ ProcessID] 516
[ ThreadID] 29720

Channel Security

Computer XXXXXXDC02.XXXXXXXXXXXXXX.co.uk

Security


- EventData

PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName USER A
Workstation XXXXXXXX
Status 0xc0000234

Kind of hit a brick wall now. Any ideas anyone?
 
Turn off OWA for them, see if the problem goes away. I know they say they don't have any mobile devices accessing their account but that doesn't mean an old BlackBerry account isn't hammering it still.
 
Will try disabling OWA.

User does not login on any other machines, but will still check as sometimes they might hotdesk.

UPDATE: Disabled OWA. Made sure user was completely logged out. Reenabled their login. Waited for 5 minutes and checked on DC. Account locked out again :(
 
Last edited:
Go to the Domain Controller security logs and look for failure audit events for this user. It will give you the IP address of the device where the user is being locked out.

If you have lots of domain controllers, use the AL tools: http://www.microsoft.com/en-gb/download/details.aspx?id=18465 to track down the correct DC with the initial lockout. Occasionally the log will give the IP of another DC, so you have to jump to THAT DC logs to find the source lockout.

Can you tell I do this a lot? :P
 
Hate tracking down account lockouts like this, MS really do lack in this department.

ALtools is good mind, once you find the DC there locked out on filter the event logs for event id 4740 and it should at least tell you what machine the lockout is occurring on.

Chrome / flash / java updaters are my usual prime suspects!
 
CLAWS said:
Hi Covenantuk. Should I install this software on the client machine?
Click to expand...


No, on your workstation. It's an admin tool - just input the account UID and it'll list the domain controllers and the time of the account lockout. From there on in just do the detective work above :)

Usually with us, it's the support staff who've left themselves logged in on an RDP session and the password expires or they reset it. The RDP session keeps locking their account out until I find it and force the session to logoff.

Remember - most environments that are serious about security require domain admin rights to log onto a domain controller or see the logs.
 
Last edited:
Have you tried changing the password through AD for a second time to see if that makes any difference, also try set password never expires as test. Force replication between domain controllers as well.

Probably too basic of a solution but worth a try.
 
covenantuk said:
No, on your workstation. It's an admin tool - just input the account UID and it'll list the domain controllers and the time of the account lockout. From there on in just do the detective work above :)

Usually with us, it's the support staff who've left themselves logged in on an RDP session and the password expires or they reset it. The RDP session keeps locking their account out until I find it and force the session to logoff.

Remember - most environments that are serious about security require domain admin rights to log onto a domain controller or see the logs.
Click to expand...

Fixed! User was rdp'd elsewhere. Thanks for Altools. Wife's contractions started soon as we fixed it :)
 
Set a Group Policy to automatically kick out idle remote desktop sessions if you don't have a good reason for allowing things to stay logged in.
 
It can be helpful to get the user to logon to webmail, go to options/mobile devices and check the status of all devices linked to their account.

Another fun one we have is the wireless, for some reason we allow users to use their personal devices on the wifi, so they enter their windows username/password on their iphone and it works great...until the day they change their password.
 
Uhtred said:
It can be helpful to get the user to logon to webmail, go to options/mobile devices and check the status of all devices linked to their account.

Another fun one we have is the wireless, for some reason we allow users to use their personal devices on the wifi, so they enter their windows username/password on their iphone and it works great...until the day they change their password.
Click to expand...

This one is a common one for us too - need domain credentials to autheticate but if it's not one of our machines (by MAC address) it get dropped into a VLAN that only allows restricted speed access to the internet.
Password gets changed and account gets locked out and they swear black in blue that they either enter their password each time they connect to the wifi or have never connected to the wifi, both of which turn out to be wrong 99% of the time.
 
You must log in or register to reply here.
Back
Top Bottom