locked
Account continually locked out - Windows 7 x64, 2008 R2 domain RRS feed

  • Question

  • I am having a problem that popped up on my machine yesterday.  My user account has been locked out consistently, every 5 minutes or so since yesterday morning. 

    I have checked the services that are running.  I have looked at scheduled tasks and credentials manager - I don't see anything there.

    My password expired yesterday morning, so I changed it.  When I came back to my computer - my account was locked out.  I thought it was due to something that I was doing with a SQL server.  I unlocked the account and went on about my business.  Ten minutes later - the same thing happened.  Then it happened again.  I immediately checked my local machines services and scheduled tasks and found nothing. 

    I then unlocked my account and pulled my network cable and took my machine off the network.  I logged on to other machines and did not have this problem.  When I came back to the office this morning, my account was not locked out.  I connected my network cable, logged on to my machine - within 5 minutes, my account was locked out again.  So it has to be something going on with my machine.

    I checked in programs & features to see if anything was installed yesterday - there was not.  I then looked into the account lockout and management tools.  I installed these and it pointed me no where.  Using lockout status.exe I can see when the bad attempts are occuring, pairing that with the security event log on the DC and also a custom filter on our syslog server for my account name I see my failed login attempts .  The lockouts are all coming at the DC at the site which I am located. 

    When I check the event viewer, I see a lot of this:

    - System
    - Provider
    [ Name] Microsoft-Windows-Security-Auditing
    [ Guid] {########-####-####-####-############}
    EventID 4771
    Version 0
    Level 0
    Task 14339
    Opcode 0
    Keywords 0x8010000000000000
    - TimeCreated
    [ SystemTime] 2012-05-24T19:13:32.212477300Z
    EventRecordID 42334632
    Correlation
    - Execution
    [ ProcessID] 580
    [ ThreadID] 1204
    Channel Security
    Computer dc.mydomain.local
    Security
    - EventData
    TargetUserName stephen.bell
    TargetSid #-#-#-##-##########-#########-##########-####
    ServiceName krbtgt/MYDOMAIN
    TicketOptions 0x40810010
    Status 0x18
    PreAuthType 2
    IpAddress ::ffff:172.17.10.4
    IpPort 51304
    CertIssuerName
    CertSerialNumber
    CertThumbprint

    How can I find out what is causing this on my machine?  I tried to use the alockout.dll but it did not seem to work as advertised - looks like it is a windows 7 x64 thing?

    In addition, I have disconnected all of my mapped drives and network shares.  I am really at a loss for my next step and may just end up starting from scratch with my machine.

    Thanks in advance for any guidance

    sb

    Thursday, May 24, 2012 7:16 PM

Answers

  • OK - So I could never figure this one out.  I ended up wiping my machine and starting fresh.  That did solve this issue :)

    • Marked as answer by Rick Tan Monday, June 4, 2012 1:43 AM
    Friday, June 1, 2012 3:02 PM

All replies

  • Hello,

    have you also checked for conficker as this is one of the symptoms?

    http://support.microsoft.com/kb/962007

    See also http://support.microsoft.com/kb/109626 http://www.pbbergs.com/windows/articles/UserAccountLockoutTroubleshooting.html


    Best regards

    Meinolf Weber
    MVP, MCP, MCTS
    Microsoft MVP - Directory Services
    My Blog: http://msmvps.com/blogs/mweber/

    Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Thursday, May 24, 2012 7:19 PM
  • Do you have a phone, tablet, handheld, etc...  Usually see these little devices cause all kinds of retries that lockout your account.

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Thursday, May 24, 2012 7:31 PM
  • Negative.  I have an iphone - but it does not have any windows credentials tied to it.

    Thanks for the response.

    Thursday, May 24, 2012 7:32 PM
  • Hi,

    From the Lockoutstatus.exe tool it must be pointing you the DC where the accounts gets locked. Check that Dc and look for Event ID  4740. This will show you the source machine from where the accounts are getting locked. If it shows your workstation name and there is something on machine which is causing it. If there is no entry in the event id as source machine then it can be a non windows device like iphone when you are checking your corporate email via this device.

    Let me know if this helps otherwise it will be wise to have a look on the netlogon log from te client.

    AB

    Friday, May 25, 2012 3:35 AM
  • You should get the source from where the user account is getting locked.

    Follow below procedure and see it helps you.

    1. Download microsoft lockout status tool from below link

      http://www.microsoft.com/en-us/download/details.aspx?id=15201

    2. Install it on domain controller

    3. Put the target name (user account which is getting locked) on target tab

    4.It will list out Date/time and DC on which account lock out events are happening

    5.Check the Latest date and time and DC name,. Login to the DC where the evet is getting generated.

    6.Go to security event------>search for 644 (microsoft Server 203) or 4740 (W2K8)----->open the event

    7.It will list the account information and Computer name from which account is gettng locked

    8.Login to the computer and check for any services or schduled task

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, May 25, 2012 6:08 AM
  • Netwrix has got a good tool to find the source of the account lockout.

    https://www.netwrix.com/account_lockout_troubleshooting.html

    You can find few more links in the below link.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/cddbf977-b98f-4783-8226-ebddab54d002/


    Awinish Vishwakarma - MVP - Directory Services

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.


    Friday, May 25, 2012 7:03 AM
  • If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.

    Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

    Refer below link for more step on trroubleshooting account lockout.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8/

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1c7e66a4-6a81-4118-89df-2e290852c3cc/

    Hope this helps


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, May 25, 2012 9:23 AM
  • Check my blog then.  It should help you track down the device, if it ends up saying a router device then it will most likely be a handheld of some kind.
    http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx

    --
    Paul Bergson
    MVP - Directory Services
    MCITP: Enterprise Administrator
    MCTS, MCT, MCSE, MCSA, Security+, BS CSci
    2008, Vista, 2003, 2000 (Early Achiever), NT4
    http://blogs.dirteam.com/blogs/paulbergson  Twitter @pbbergs
    Please no e-mails, any questions should be posted in the NewsGroup. This posting is provided "AS IS" with no warranties, and confers no rights.

    Friday, May 25, 2012 12:10 PM
  • OK - So I could never figure this one out.  I ended up wiping my machine and starting fresh.  That did solve this issue :)

    • Marked as answer by Rick Tan Monday, June 4, 2012 1:43 AM
    Friday, June 1, 2012 3:02 PM
  • OK - So I could never figure this one out.  I ended up wiping my machine and starting fresh.  That did solve this issue :)

    I am not sure you have tried finding the source from where user account is getting locked or not

    Anyways  , Problem got resolved Nice to hear that

    Cheers,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Saturday, June 2, 2012 5:59 AM
  • I came across this little gem recently. We had a user that was getting locked just about every day. It would usually occur at logon or sometime shortly thereafter (timing was never consistent).

    We used the lockout tools to determine that the lockout was coming from a desktop that she had never used. It turned out that the user naming convention y0000000 was part of the issue. The user on the machine that was locking out the account had transposed two numbers to match the locked out user account. It had gotten cached so when the user on the lockout machine logged in the other account would get locked out. We opened the Credential Store and deleted the offending entry.

    Fun!


    JJ

    • Proposed as answer by MaryP82 Monday, June 9, 2014 7:39 PM
    Friday, August 3, 2012 4:59 PM