Frequent domain Account lockout issue

All replies

• 

  

  0

  Sign in to vote

  Vinay,

   Seems this is an issue with only one user account, If this is the case then,

  You can use Microsoft Lockout status tool for getting the information when the User account got locked (Date and time).

  Apart from this you will also get information like on which DC the account got locked , How many bad passwords, AD site, Etc.
  
  This is very helpful tool. Using this we can check what is the computer account from which computer account is getting locked
  
  You can download the tool from below link.
  
  http://www.microsoft.com/download/en/details.aspx?id=15201
  
  Troubleshooting Active directory Lockout Issue.
  
  http://msexchangeguru.com/2012/03/08/ad-lockout/

  Once you get computer account information on which user account is getting locked then make sure non of the services or scheduled tasks are running on the computer with that user account

  additionally refer below thread which discuss the same problem

  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/cddbf977-b98f-4783-8226-ebddab54d002/

  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/fdac3589-886c-4ba7-a49e-6a5e227679c7

  Regards,

  _Prashant_

   

  ---

  MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

  • Marked as answer by Lawrence,Lu Thursday, May 17, 2012 1:25 AM

  Wednesday, May 9, 2012 6:52 PM
• 

  

  0

  Sign in to vote

  Hello,

  Generally, this is caused by:

  • A service / application which is running under this account with a wrong password
  • A virus
  • A brute force or dictionary attack
  • ...

  For troubleshooting, you can try to identify the source computer and then perform a full scan on it and check if there is a service / application which is running under this account with a wrong password.

  Read also Paul's article: http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx

  ---

  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.   

  Microsoft Student Partner 2010 / 2011
  Microsoft Certified Professional
  Microsoft Certified Systems Administrator: Security
  Microsoft Certified Systems Engineer: Security
  Microsoft Certified Technology Specialist: Windows Server 2008 Active Directory, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Network Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows Server 2008 Applications Infrastructure, Configuration
  Microsoft Certified Technology Specialist: Windows 7, Configuring
  Microsoft Certified Technology Specialist: Designing and Providing Volume Licensing Solutions to Large Organizations
  Microsoft Certified IT Professional: Enterprise Administrator
  Microsoft Certified IT Professional: Server Administrator
  Microsoft Certified Trainer

  • Marked as answer by Lawrence,Lu Thursday, May 17, 2012 1:25 AM

  Wednesday, May 9, 2012 7:10 PM
• 

  

  0

  Sign in to vote

  Do you have a persistent drive mapping and have you changed your password since mapping the drive? If so, delete and re-map the drive and this should fix the problem. Cheers

  Wednesday, May 9, 2012 7:19 PM
• 

  

  0

  Sign in to vote

  In addition to the suggestions given to use the ALSTools or a mapped drive, sometimes as a quick attempt to see what's going on, and I know this is too simplistic, but I'll simply disable the account and wait to see who calls in complaining that something's not working.

  And based on what MrX posted, if you have MOM or SCOM, when you disable the account, you'll see a notification for some sort of app or service failure that is using the account as its logon credentials, but when the account's password was updated/changed, someone forgot to update the app or service with the new password.

  .

  ---

  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  

  
  

  • Edited by Ace Fekay [MCT] Wednesday, May 9, 2012 9:40 PM

  Wednesday, May 9, 2012 9:40 PM
• 

  

  1

  Sign in to vote

  Hi Vinay,

  You've actually got the most critical piece of information already contained within the event log entry you posted: the workstation (or server) name. In this instance it's listed as PSE-FF-SA.

  What you can do from here is:

  • Log onto that machine either directly or via RDP;
  • Launch Task Manager, view all processes (you will need to be a local administrator to be able to do this) then sort them by the User Name column;
  • Look for any processes running under the locked account, which using your first post as the source appears to be "20596";
  • Also check the Users tab just to make sure that user isn't logged onto the workstation, as it might be as simple as they never logged off then logged onto another PC later from which they changed their password.

  If you find the process, you can probably figure out whether it's a service, application or scheduled task (at least, if it's currently executing).

  If you do not find any processes under that username then you can check the following areas:

  • Control Panel\Credential Manager;
  • Any mapped drives that have use the "with credentials" option (just disconnect them all and reconnect them if need be).

  If it's only happening when someone is logged on to that workstation, it's probably going to be Credential Manager or a mapped drive. If it's happening even when nobody is logged onto that workstation, then it will likely be a service.

  Cheers,
  Lain

  • Edited by Lain Robertson Thursday, May 10, 2012 12:03 AM Added administrative requirement clarification.
  • Marked as answer by Lawrence,Lu Thursday, May 17, 2012 1:25 AM

  Thursday, May 10, 2012 12:02 AM
• 

  

  0

  Sign in to vote

  As we known, you have narrowed down to the computer(PSE-FF-SA) which causes the account lockout issue.

  Based on the current situation, we need to drill down to which applications are sending the bad passwords.

  A network trace from the client or just examining which applications and service are running on it and stopping each in turn to isolate the issue will usually be enough.

  TCPView from Sysinternals or Netstat are also good for this kind of investigation, matching the process ID of a service or application that creates a socket connection with a bad password attempt in the Netlogon log of a DC.

  Common contributors can be OS components like Credman with stale passwords, services running under a specific domain account, dumb applications with insufficient retry logic, etc. 

  The Conficker virus was also notorious for attempting brute force password attacks against members of the built-in Administrators group in the Domain.

  Note also that if you have a mixed environment you may get Account Lockout issues when you change passwords on one OS (client-side or DC-side) and then move to another legacy client that doesn't understand the protocol or algorithm used.

  For more information, please refer to the following Microsoft TechNet blog:

  Troubleshooting account lockout the PSS way
  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx

  Does user involved has a smartphone or some kind of mobile device using AD credentials for connecting (like exchange), if it fails to connect 3 times (depending on your GPO's), it locks his account.Have a look on all his stuff using his user account automatically, specially his mobile (90% of the time guilty).

  Refer below link for more step on troubleshooting accout lockout.

  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/94a7399f-7e7b-4404-9509-1e9ac08690a8/
  http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/1c7e66a4-6a81-4118-89df-2e290852c3cc/
  
  Hope this helps

  ---

  Best Regards,
  
  Sandesh Dubey.
  
  MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog
  
  Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

  Thursday, May 10, 2012 2:16 AM
• 

  

  0

  Sign in to vote

  Hello Ace Fekay,

  I have tried disabling the account and re enabling the same account after few hours,but my efforts are in vain. I also tried deleting the account with which i'm facing the issue and recreated the account but the issue not resolved.

  Appreciate your help, Thankyou

  Thursday, May 10, 2012 7:01 AM
• 

  

  1

  Sign in to vote

  Hi,

  As mentioned above, account lockout occur at computer PSE-FF-SA, it may cause by a service/ an application, a virus, a brute attack and so on.

  So disable or re-enable the account will not resolve this issue. The question now is how to find which action causes this issue.

  As I know a third party software “Account Lockout Examiner” can exam your system and find the potential cause of account lockouts. You may have a try.

  You can get it at:
  https://www.netwrix.com/account_lockout_examiner.html

  Note:

  This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

  For more information above how to troubleshoot account lockout issue, please refer to following MS articles:

  Account Lockout Best Practices White Paper
  http://www.microsoft.com/downloads/details.aspx?FamilyID=8C8E0D90-A13B-4977-A4FC-3E2B67E3748E&displaylang=e&displaylang=en
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155(v=WS.10).aspx
  Account Lockout Tools
  http://technet.microsoft.com/en-us/library/cc738772(v=WS.10).aspx

  ---

  Lawrence

  TechNet Community Support

  

  
  

  • Marked as answer by Lawrence,Lu Thursday, May 17, 2012 1:25 AM
  • Edited by Shakti Prasad Mishra Tuesday, January 27, 2015 9:17 PM Modified netwrix's URL to HTTPS

  Thursday, May 10, 2012 7:35 AM
• 

  

  0

  Sign in to vote

  Hi Lain,

  I have followed the steps u suggested. there is no service running with the account "20596". I have deleted the user profile from the system long back when the issue started and not using the account anymore. Despite of doing all this again the acoount is getting locked for every 5 min. Please fingd the log details FYI.

  The computer attempted to validate the credentials for an account.

  Authentication Package:           MICROSOFT_AUTHENTICATION_PACKAGE_V1_0

  Logon Account:           20596

  Source Workstation:     PSE-FF-SA

  Error Code:      0xc0000234 .

  Please suggest if you have any other steps/tips forresolving  this issue.

  Thankyou.

  Thursday, May 10, 2012 8:55 AM
• 

  

  0

  Sign in to vote

  Hello Ace Fekay,

  I have tried disabling the account and re enabling the same account after few hours,but my efforts are in vain. I also tried deleting the account with which i'm facing the issue and recreated the account but the issue not resolved.

  Appreciate your help, Thankyou

  Lawrence provided a great suggestion.

  One other suggestion, if I may add. Depending on the purpose of this workstation, and assuming it's just a workstation and not a server, if you can, why not just re-image it or resinstall it?

  .

  ---

  Ace Fekay
  MVP, MCT, MCITP EA, MCTS Windows 2008/R2, Exchange 2007 & Exchange 2010, Exchange 2010 EA, MCSE & MCSA 2003/2000, MCSA Messaging 2003
  Microsoft Certified Trainer
  Microsoft MVP - Directory Services
  Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php

  This post is provided AS-IS with no warranties or guarantees and confers no rights.

  

  Thursday, May 10, 2012 3:33 PM
• 

  

  0

  Sign in to vote

  I'd have to agree with Ace here.

  If you can't find a running process with that username, then you're facing an issue with stored credentials. These could exist in the Credential Manager store, Internet Explorer, as part of a mapped drive that is specified as using different credentials, a local batch file, etc.

  If you're not familiar with all these areas, then you might be better off cutting your losses and rebuilding the machine as tools like Process Monitor and so on aren't going to be able to find them - at least not directly by username, as technically speaking, no process will be able to start under that user account because it's already locked (as opposed to already running and then dealing with the lockout response).

  One thing you can do to limit the places you have to look at is make sure nobody is logged onto that machine at all (meaning nobody is still logged on courtesy of something like fast user switching) and see if the lockout events are still registered on the domain controller.

  If they are, then the credentials are buried in some kind of system process. If the events stop then there's a good chance they're being used in someone's user profile, in which case you could try removing everybody's user profile from that machine - assuming it's safe to do so insofar as you're not going to lose user data or important configuration data.

  Cheers,
  Lain

  • Proposed as answer by Ace Fekay [MCT] Friday, May 11, 2012 1:38 PM
  • Marked as answer by Lawrence,Lu Thursday, May 17, 2012 1:25 AM

  Friday, May 11, 2012 9:16 AM
• 

  

  0

  Sign in to vote

  Hi,

  Try logout all your previously logged in Service accounts and logout from all machines by using different user login and logout your locked user from task manager users list, this will help you.

  Thursday, October 10, 2019 12:42 PM