none
User in AD, locked out every hour

    Question

  • Hello,

    I have an user who is locked out every hour, hence, every hour re-prompting the user to type in the password. I am really cluesless here, his AD account seems to be correct. I can't see anything strange in the event viewer.

    Thanks in advance.


    Luis Olías.


    • Edited by Luis O.J Friday, March 31, 2017 5:25 PM
    Friday, March 31, 2017 5:22 PM

All replies

  • Check for cached credentials. That's usually the number one cause of lockouts in my environment.
    Friday, March 31, 2017 5:26 PM
  • I faced a somewhat  similar issue in my environment few months ago. The account was locking down automatically after few minutes.

    User had his email configured in Outlook and in Mobile through Activesync. So i asked him to shutdown this PC and remove the email account from his Mobile device.

    After that i changed the password and this time it did not lock out.

    Then i asked him to configure it on the Mobile again, after that still there was no issue. But as soon he started the PC, the account was locked out again.

    So we knew it was from the PC, asked him to scan the PC with antivirus and create new outlook profile after these two things, the problem was solved.

    Friday, March 31, 2017 5:31 PM
  • Hi

     These are possibilies about lockout issue,
    -Mapped network drives
    -Logon scripts that map network drives
    -RunAs shortcuts
    -Accounts that are used for service account logons
    -Processes on the client computers
    -Programs that may pass user credentials to a centralized network program or middle-tier application layer
    -Active sync devices (cell phone,etc..)  

    and you can check the source with Account Lock tool (for server 2003); https://www.microsoft.com/en-us/download/details.aspx?id=15201
     New tools to troubleshoot this in Windows Server 2008 R2,called dsac.exe which is the "Active Directory Administration Centre"..check the article for; https://blogs.technet.microsoft.com/askds/2011/04/12/you-probably-dont-need-acctinfo2-dll/
    also you can check with these 3rd paty tools; lepide,netwrix....

    Also you can configure advanced audit policy to find the source;

    https://technet.microsoft.com/en-us/library/dd408940%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396


    This posting is provided AS IS with no warranties or guarantees,and confers no rights. Best regards Burak Uğur

    Friday, March 31, 2017 5:39 PM
  • Check the security logs in the DC to look for failed authentications. This should be able to guide you to the device culprit. You can also try using a sniffer or disabling suspected devices that the user has) This could be caused by:

    • A job that is trying to run using outdated credentials
    • A device trying to authenticate using outdated credentials and failing
    • A computer that has outdated credentials (this happens when external users used cached credentials to get in to the PC and then try to authenticate against a DC. Often outside computers that have passwords changed or expired then they come in to the domain with WiFi and used cached credentials to initially log in locally)
    • A virus or malware trying to use dictionary attack
    • An attacker trying to crack password using dictionary attack.


    Miguel Fra
    Falcon IT Services
    https://www.falconitservices.com

     


    Friday, March 31, 2017 5:55 PM
  • Luis

    were you able to find out the source of the lockout ? AD account has nothing to do with the lockout.

    Basically, you have to run lockoutstatus.exe from the Lockout tools which you can download. Find which domain controller is showing the latest bad password. Obtain security event log of that domain controller at that particular time. Find events 4625 or 4771 and/or 4740 , and see the CLient address from it. that should be the source of the lockout.

    Let me know if you needed more direction.

    Friday, March 31, 2017 9:07 PM
  • Hello

    log into the PDC and search for event id 4740 and you should find caller machine name, it is where user /pass is cached and causing the prob

    Thanks


    NA

    Friday, March 31, 2017 9:11 PM
  • 4740 -  A user account was locked out:
    https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740

    Have you checked on this computer (FPG.Gloabl) if the user has:

    A scheduled task which use his password?
    A service which uses his password?
    A mapped drive which uses his password?

    How to identify the source of Account Lockouts in Active Directory:
    https://www.lepide.com/how-to/identify-the-source-of-account-lockouts-in-active-directory.html

    Troubleshooting account lockout the Microsoft PSS way:
    http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

    What are the common root causes of account lockouts and do I resolve them:
    https://www.lepide.com/blog/what-are-the-common-root-causes-of-account-lockouts-and-do-i-resolve-them/

    Thanks,

    Monday, April 3, 2017 6:15 AM
  • Hi Luis,

    Just checking in to see if the information provided was helpful. And if the replies as above are helpful, we would appreciate you to mark them as answers, please let us know if you would like further assistance.

    Best Regards,

    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, April 7, 2017 9:01 AM
    Moderator