locked
User Account Keeps Locking Out for No Reason

    Question

  •  

    Hello, I have a user that is getting locked out 9 or 10 times a day for no reason. We have reset her password, changed it back to her old password, disabled and enabled her user account, reset her computer account, renamed her PC, rejoined the PC to the domain, restarted the PC and still no matter what she gets locked out even when she is not asked for her password. Windows 2000 domain, Win XP box. Any suggestions?
    Wednesday, July 23, 2008 1:31 PM

Answers

  • This is more of an AD problem to solve than it is an ILM problem. I would suggest a tool like MOM or EventComb that can aggregate Security Event logs across your domain controllers. You are looking for the Account Lockout events (529, 644, 675, 676, and 681) and once you pull all of those events into a single view you can search for all events (or filter to begin with) that pertain to that specific user.  In the events you will see the IP address of the system that caused the lockout event to happen. You need to identify the system and the time in order to narrow down whether or not it is a specific application or something like an orphaned remote session (i.e. TS/Citrix).

     

    The most common cause of phantom lockouts is a hung remote session somewhere. The user remains logged in after their password has expired and the password gets reset; however in the original session the original password is still cached and once the Kerberos session ticket expires it tries to renew it causing the lockout.

     

    Other causes of lockouts include hard coded credentials in:

    • logon scripts & command files (BAT, CMD, VBS, KIX, etc)
    • scheduled tasks

    You can find EventCombMT in the Account Lockout Tools downloadable package. AcctInfo.dll and Alockout.dll are also very helpful - see the accompanying documentation.

    Wednesday, July 23, 2008 2:38 PM

All replies

  • This is more of an AD problem to solve than it is an ILM problem. I would suggest a tool like MOM or EventComb that can aggregate Security Event logs across your domain controllers. You are looking for the Account Lockout events (529, 644, 675, 676, and 681) and once you pull all of those events into a single view you can search for all events (or filter to begin with) that pertain to that specific user.  In the events you will see the IP address of the system that caused the lockout event to happen. You need to identify the system and the time in order to narrow down whether or not it is a specific application or something like an orphaned remote session (i.e. TS/Citrix).

     

    The most common cause of phantom lockouts is a hung remote session somewhere. The user remains logged in after their password has expired and the password gets reset; however in the original session the original password is still cached and once the Kerberos session ticket expires it tries to renew it causing the lockout.

     

    Other causes of lockouts include hard coded credentials in:

    • logon scripts & command files (BAT, CMD, VBS, KIX, etc)
    • scheduled tasks

    You can find EventCombMT in the Account Lockout Tools downloadable package. AcctInfo.dll and Alockout.dll are also very helpful - see the accompanying documentation.

    Wednesday, July 23, 2008 2:38 PM
  • OK, thank you very much for your responce. I think I figured it out with this tool: http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

     

    Again, thank you very much!

    Wednesday, July 23, 2008 8:02 PM
  • Sometimes it can also get locked out if someone maps something such as a printer on another person's account.  Then once the user changes their password, then the mapped printer keeps trying to map the printer using the old password.  Once you locate the computer that it is happening on, run in a bat or open a command prompt and type this string:  rundll32.exe keymgr.dll, KRShowKeyMgr .  This opens up a stored user names and passwords window (xp) and will show any existing connection tied to the account.  Then you can identify the connection and remove.  Hope this helps.

    Monday, May 11, 2009 6:34 PM
  • I know it's an old post, but it seems to be very popular and referred from several places. I would like to recommend our own tool (sorry for this shameless vendor plug) for account lockout troubleshooting called NetWrix Account Lockout Examiner, which performs many of the checks mentioned above fully automatically. For example, it checks for stale credentials of service accounts and scheduled tasks, disconnected remote desktop sessions, mapped network drives, analyzes logons etc.

    Thursday, December 27, 2012 5:27 PM