AD accounts randomly locking out RRS feed

  • Question

  • Alright, so I have had this issue ever since I started at my current company, and have actually never seen this before.  All our clients are Windows 7 with all servers being Windows 2008 Server Standard and R2.  All service packs and updates/patches applied.

    So there are a handful of users that at one point or another have their AD accounts lockout while they are not even at their computers.  They might be away at lunch and come back and their account is locked.  They could also be working on their computer, and as they are working they realize Outlook has disconnected from Exchange because their account has become locked.  Sometimes this can happen MANY times a day, and sometimes a user can go days inbetween lockouts.

    There is absolutely no rhyme or reason to when this happens, and I can tell you that their accounts are not getting locked out because of failed login attempts.  It just happens.......with no user intervention.

    The only temporary fix I have is to have the user logout, then go to switch user - other user and then log in "fresh".  And this fix sometimes works for days, sometimes weeks, sometimes it permanently fixes a user, and then sometimes it only fixes it for a few hours.

    Does anyone have ANY idea what the problem could be?

    Tuesday, February 7, 2012 7:45 PM


    • Proposed as answer by Meinolf Weber Tuesday, February 7, 2012 8:19 PM
    • Marked as answer by Rick Tan Friday, February 17, 2012 5:33 AM
    • Edited by Marcin PolichtMVP Friday, November 9, 2012 11:25 PM
    Tuesday, February 7, 2012 7:58 PM
  • Hi,

    There may be many causes for account locked out.
    •user's account in stored user name and passwords
    •user's account tied to persistent mapped drive
    •user's account as a service account
    •user's account used as an IIS application pool identity
    •user's account tied to a scheduled task
    •un-suspending a virtual machine after a user's pw as changed

    For more refer KB article:http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx

    check if the computer is infected by viruses, Read this KB about Win32/Conficker worm: http://support.microsoft.com/kb/962007

    Try Netwrix tool to find out account lockout.

    If user id is getting frequently locked out use the Eventcomb LockoutStatus.exe to determine which DC it is being locked out upon then examine the security log of that domain controller to determine the member server or workstatuion it is occuring on. You can then check scheduled tasks/services to nail down or log user out of the system identified if logged in.

    Take a look at this blog from about account lockouts, goes over some good Microsoft tools

    Sometimes the network trace will the most helpful piece to figure out where the lockout is coming from. Is this a normal user or could this account be used on a service somewhere?

    Refer below link for more step on trroubleshooting accout lockout.


    Hope this helps.


    Abhijit Waikar - MCSA 2003|MCSA 2003:Messaging|MCTS|MCITP:SA

    Tuesday, February 7, 2012 8:12 PM
  • It could be a prankster doing it. I remember there was this one guy that kept using my workstation after I left for the day. I would have a utility running to gather info overnight, expecting to see the results in the morning. This guy would turn my workstation off, then log himself in. Of course he would log out, but I can see his name as the last logged on user. So what I did for 3 days straight, is jsut put any old thing in the password field and hit enter, for 3 times, locking his account. I saw him later on and asked, hey, any problems with your account? Yea, how did you know. I told him, and just kind of laughed over it saying my workstation just happened to be convenient to use. I said if you need my workstation, no problem, just text or call me to ask to make sure I have nothing running on it.

    As for your random issues, maybe a prankster could be doing just this. You would need to enable auditing to get the user account failure with what IP address it's coming from, assuming it's from a different workstation.

    Another possibility is that the account is being used for a service, but the password isn't getting manually changed when the account password changes. You'll want to check the machine of that user to verify that. YOu can dump the service account credentials into a text file to see if anything's up with that. See the batch file at the bottom of this post.



    One more possiblity is malware or a virus, such as the Conficker virus, which can also result in lockouts:

    Virus alert about the Win32/Conficker.B worm:

    Conficker Worm: Help Protect Windows from Conficker

    It comes down to that you'll have to do some digging. There is no easy way to pinpoint it to one specific thing that could be causing it.



    You can use the following tools and methods (EventCombMT & LockOutStatus.exe) to help pinpoint it.

    Paul Bergson's User Account Lockout Troubleshooting

    Account Lockout Tools

    Account Lockout and Management Tools - Download tools that you can use to troubleshoot account lockouts, as well as add functionality to Active Directory.

    You can also set the debug flag on NetLogon to track authentication.  "This creates a text file on the PDC that can be examined to determine which clients are generating the bad password attempts."
    Enabling debug logging for the Net Logon service

    Using the checked Netlogon.dll to track account lockouts

    Limiting a user's concurrent connections in Windows Server 2003

    How to use the EventCombMT utility to search event logs for ...This article describes how to use the EventCombMT utility (EventCombmt.exe) to search the event logs of multiple computers for account lockouts.

    EventCombMT.exe - A Good Tool To Collect Event Logs



    You can dump your service account credentials with the following batch file on all DCs or any other machine that you suspect a service is using the account name in question.

    Save it as whatever.bat, and run it. In Windows 2008 or newer, run it as an administrator.
    @echo off
    reg query "HKLM\SYSTEM\CurrentControlSet\Services" /s | find /i "objectname" >services.txt
    notepad services.txt


    Ace Fekay
    MVP, MCT, MCITP Enterprise Administrator, MCTS Windows 2008 & Exchange 2007 & Exchange 2010, Exchange 2010 Enterprise Administrator, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

    This posting is provided AS-IS with no warranties or guarantees and confers no rights.


    • Edited by Ace Fekay [MCT] Tuesday, February 7, 2012 8:16 PM
    • Proposed as answer by Meinolf Weber Tuesday, February 7, 2012 8:19 PM
    • Marked as answer by Rick Tan Friday, February 17, 2012 5:34 AM
    Tuesday, February 7, 2012 8:14 PM

All replies