Domain Account Keeps on Locking RRS feed

  • Question

  • Hi,

    I have a domain account configured on Windows 2012 Server to run a service. recently I have changed the domain account password. Also  the password on service logon changed. But after changing the password, my account keeps on locking. As per the logs , the service is the culprit. But I am sure the service is updated with new password ans also I can start the service too after unlocking the account. I have tried to delete the entire user profile under C:\Users folder after stopping the service. But when deleting the folder, I am getting a message like the folder is in use. I haven't shared the folder and nothing is running from the folder. I could see the folders - C:\Users\User Name\AppData\Local\Microsoft\Credentials and C:\Users\UserName\AppData\Roaming\Microsoft\Credentials are access denied. I have tried to remove the profile from Registry - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList. Now the user profile is removed from the System Properties/User Profile. Earlier the profile was listed there and a ' ? '  was showing under the profile file size.  Still I cant remove the profile folder from C:\Users folder.  Can someone help to remove the folder, I suspect something on the corrupted folder is causing the account lockout.



    Tuesday, June 14, 2016 12:34 PM


All replies

  • I am not seeing how a profile could cause this. Most likely cause is because "something" is trying to authenticate using your old login details. You need to find this "something" and reconfigure it.

    If you have configured another service to start using your account details, removing the profile folder will not stop that service trying to use those details.

    Perhaps you have another networked machine that uses the server as a file share, and you have saved your login details on that? That separate machine will continue to try and login using your old login details and lock your account out.

    As a general rule you should never use a user account for starting services, you should use dedicated account for starting services so you do not end up in this, unfortunately rather common scenario.

    Tuesday, June 14, 2016 1:19 PM
  • I suspect the profile since I cant delete the folder or even I cant get the permission to take the ownership. Also shown error in profile under System Properties. Seems something has locked in Profile folder. I cant open the credentials folder inside AppData. Even I cant take the permission to change the ownership. The account lock out caller computer name shows as the same one and logs says its a service. 
    Tuesday, June 14, 2016 1:37 PM
  • To lockout an account, you must repeatedly fail to use the right login credentials. This means that "something" is trying to authenticate as that user. Without failed authentication, the account cannot lock.

    Have you checked that no other services are also using this login that may be failing to start?

    There are lots of files that you cannot easily remove, this does not mean they are causing a problem.

    I will watch this thread to see how it develops but as far as I am concerned, you are wasting time on this when you should be looking for what is actually causing this issue in my opinion.

    Tuesday, June 14, 2016 2:08 PM
  • No other services are running with this account. Also I can confirm the password has been properly update on the service logon filed.

    Why I am suspecting the profile is  ,I can get in to the credentials folder  in all other user profile folders. But for this account I cant. I have different services running on this server with different domain accounts. All profile foldersare fine. Except this.

    Is there any way to take the ownership of this folder ? I tried the normal practice , but it doesn't help.

    Tuesday, June 14, 2016 2:17 PM
  • I tend to agree with MikeeMiracle.  The only thing I am aware of that can cause an account lockout is configuring a threshold and then bypassing it.  Here is an old TechNet article (https://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx) that provides hints at how to troubleshoot account lockout issues.  Yes, it is old, but the information is still valid.

    . : | : . : | : . tim

    Tuesday, June 14, 2016 2:36 PM
  • I have worked so many account lockout issues. So its a usual practice for me. Here its something different and vague. Totally confused. Usually I could understand  which service or which application causes the bad password from the logs. But here all the logs points to the service. But I'm sure the password has been updated. Otherwise even I cant start the service. Also usually I can remove the entire profile folder after logging out the user session ( if there) or after stopping the service. He I cant even take the ownership of the folder.

    Do we know what exactly saved in Credentials folder under appdata/Microsoft folder ? Also why I m not getting the access.

    Tuesday, June 14, 2016 2:52 PM
  • I still think your wasting your energy by focusing on this folder but........

    1) Do you notice anything else that stops working after the account is locked out? That might point you in the right direction.

    2) Try unlocking the account but DO NOT start the service, if the account locks shortly afterwards then it cannot be that service that is causing this.

    3) You have rebooted the server since this started happening in case any old processes are "stuck" in memory?

    If all else fails and you cannot find the cause, do you "have" to use this account for anything? Could the account not be retired and you start using a different account with a different name going forward? If you don't notice anything after point 1 above then it would be a safe option.

    Tuesday, June 14, 2016 3:03 PM
  • 1) No - Also the service continue as running. But if I stop it I cant start. 

    2)  Its difficult to keep the service stopped for long time as its affecting the production. 

    3) not yet, waiting for permission from the Server owner.

    Tuesday, June 14, 2016 4:37 PM
  • It's probably best we wait for a restart and then see if the issue persists. I don't see the point in troubleshooting this further until we have restarted the box.

    If you still have the issue after the retart then go with step 2, stop the service, unlock the account and see if it locks.

    In either case, some downtime is required to allow you to investigate further even if the restart does not solve this.

    Tuesday, June 14, 2016 4:43 PM
  • Agreed with Mikee.

    By the way, I will add here an informative article to check if it helps you to resolve the concern - https://community.spiceworks.com/how_to/128213-identify-the-source-of-account-lockouts-in-active-directory

    Wednesday, June 15, 2016 4:55 AM
  • account lockout has been discussed on this forum quite a few times.

    Here's what I remember from the suggestions before:

    - service using old password

    - scripts using old password to login or start 

    - mobile devices using old credentials

    - old printers or any hardware devices set with the old password

    - malware or virus, using brute force attack or password guessing (hopefully not of course)

    - other possibilities bing or google is your friend.

    - check the logs and check the logon IP where the login is initiated

    - last but not the least keep a record for all your services or devices that uses admin password

    Good luck!

    Every second counts..make use of it. Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.

    Wednesday, June 15, 2016 8:46 AM