none
AD User Account on Windows 7 keeps getting locked out RRS feed

  • Question

  • I have a user account that keeps getting locked out. This computer is a Windows 7 Pro Domain join desktop computer.

    It started after the user the user changed their domain password.

    I have done the following so far:

    -Verified there are no services running as the user.

    -Checked ODBC Connections.

    -Deleted and re-added all mapped drives.

    -Deleted all passwords stored in the vault/credential manager.

    -Deleted all saved password in IE and Chrome.

    -Deleted all jobs in task scheduler that run as the user, even if they are not using saved passwords.

    -Confirmed in the event logs the machine name that is causing the event lock out is the same machine.

    --In addition to auditing logon and account logon success and failure attempts, the Advanced Auditing Policy as follows:

    C:\Windows\system32>auditpol /get /category:*
    System audit policy
    Category/Subcategory                      Setting
    System
      Security System Extension               Success and Failure
      System Integrity                        Success and Failure
      IPsec Driver                            Success and Failure
      Other System Events                     Success and Failure
      Security State Change                   No Auditing
    Logon/Logoff
      Logon                                   Success and Failure
      Logoff                                  Success
      Account Lockout                         Success and Failure
      IPsec Main Mode                         No Auditing
      IPsec Quick Mode                        No Auditing
      IPsec Extended Mode                     No Auditing
      Special Logon                           Success
      Other Logon/Logoff Events               Success and Failure
      Network Policy Server                   No Auditing
      User / Device Claims                    No Auditing
      Group Membership                        No Auditing
    Object Access
      File System                             No Auditing
      Registry                                No Auditing
      Kernel Object                           No Auditing
      SAM                                     No Auditing
      Certification Services                  No Auditing
      Application Generated                   No Auditing
      Handle Manipulation                     No Auditing
      File Share                              Success and Failure
      Filtering Platform Packet Drop          No Auditing
      Filtering Platform Connection           No Auditing
      Other Object Access Events              No Auditing
      Detailed File Share                     Failure
      Removable Storage                       Success
      Central Policy Staging                  No Auditing
    Privilege Use
      Non Sensitive Privilege Use             No Auditing
      Other Privilege Use Events              No Auditing
      Sensitive Privilege Use                 Success and Failure
    Detailed Tracking
      Process Creation                        No Auditing
      Process Termination                     No Auditing
      DPAPI Activity                          No Auditing
      RPC Events                              No Auditing
      Plug and Play Events                    No Auditing
      Token Right Adjusted Events             No Auditing
    Policy Change
      Audit Policy Change                     Success and Failure
      Authentication Policy Change            Success
      Authorization Policy Change             No Auditing
      MPSSVC Rule-Level Policy Change         No Auditing
      Filtering Platform Policy Change        No Auditing
      Other Policy Change Events              No Auditing
    Account Management
      Computer Account Management             Success
      Security Group Management               Success
      Distribution Group Management           No Auditing
      Application Group Management            No Auditing
      Other Account Management Events         Success
      User Account Management                 Success and Failure
    DS Access
      Directory Service Access                Success and Failure
      Directory Service Changes               Success and Failure
      Directory Service Replication           No Auditing
      Detailed Directory Service Replication  No Auditing
    Account Logon
      Kerberos Service Ticket Operations      No Auditing
      Other Account Logon Events              Success and Failure
      Kerberos Authentication Service         No Auditing
      Credential Validation                   Success and Failure
    

    -Downloaded the Lockout Status Tool

    https://www.microsoft.com/en-us/download/details.aspx?id=15201

    -ran "Aloinfo.exe  /stored  >C:\CachedAcc.txt" from the download directory and confirmed there was nothing with the users domain account listed.

    -Followed the instructions for "Alockout.dll" and moved it to the System32 folder and added the reg key, rebooted several times.

    --It has not once created the log file in the %Windows%\Debug folder.

    -Downloaded a trial of Manage Engines ADAudit Plus.

    --Only useful thing I found was it's something related to explorer.exe, but even that might not be helpful.

    -Downloaded Netwrix Account Lockout Examiner, nothing useful pulled from that other than setting an alert to myself as soon as the users account is locked so I can unlock it. I did find the failed logon is happening every five minutes like clock work, but there are no jobs in Task Scheduler that run as the users.

    I'm about to reformat the drive and lay down a fresh image, but hoping maybe somebody else has an idea of where else I could check.

    Thursday, October 3, 2019 10:06 PM

Answers

  • I went ahead and reimaged the affected machine. I hate to "give up" but I couldn't find another solution to locate what was using her old credentials.
    • Marked as answer by curryjasonl Friday, October 18, 2019 5:22 PM
    Friday, October 18, 2019 5:21 PM

All replies

  • Hello,
    Thank you for posting in our TechNet forum.

    Usually, we can troubleshoot account locked out as below:

    1. Apply Audit Policy to the PDC under this location:

    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration > Audit Policies

    Logon/Logoff:
    Audit Account Lockout – Failure
    Audit Logon – Failure

    Account Logon:
    Audit Kerberos Authentication Service - Failure
    Audit Credential Validation – Failure

    Account Management:
    Audit User Account Management – Success and Failure


    2. We can run the following command on the PDC to force the policy to update and check whether the related audit is enabled:
    gpupdate /force
    auditpol /get /category:*


    3. On the client, when the user account is locked out.


    4. Go to PDC, in the Security Log check whether we received the following Event:
    4740      A user account was locked out.


    Within this Event log, we can see the resource computer (Caller Computer Name). 




    5. Please on the resource computer apply the following Audit Policies:

    Computer Configuration\Windows settings\security settings\Advanced Audit Policy Configuration > Audit Policies
    Detailed Tracking: Configure all items as Success and Failure
    Logon/Logoff: Configure all items as Failure

    6. When the user account is locked again, combining the time stamp of Event 4740, we can see the detailed process was launched on the client’s Security Log while Event 4740 was reported.





    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 4, 2019 8:43 AM
  • Daisy.

    thank you very much for your reply.

    With exception of the detailed tracking all of my other auditing policies meet or exceed your recommendations, that's how I knew what machine the lockout was being generated from for certain.

    I went through and did all the standard checks again and I must have missed the checkbox in IE to delete the passwords the first time, because IE ended up being the source (or at least it appears that way). because I have not had another lockout event since.

    EDIT: I was wrong. After a few hours of peace and quit I closed the ticket and then...the account locked again.

    I went ahead and added the user to a custom GPO that includes Detailed Tracking in addition to our other Auditing Policy. Will look at the logs once the lockout event happens again.

    • Marked as answer by curryjasonl Friday, October 4, 2019 4:23 PM
    • Unmarked as answer by curryjasonl Friday, October 4, 2019 9:09 PM
    • Edited by curryjasonl Friday, October 4, 2019 9:11 PM
    Friday, October 4, 2019 4:23 PM
  • Running Processes when the lockout occurs:

    taskhost.exe
    ScreenConnect.WindowsClient.exe
    taskeng.exe
    ipoint.exe
    itype.exe
    FortiTray.exe
    dwm.exe
    explorer.exe
    RtDCpl64.exe
    TdmNotify.exe
    Laserfiche.OfficeMonitor.exe
    OneDrive.exe
    iusb3mon.exe
    PdfPro8Hook.exe
    MOM.exe
    msddsk.exe
    CCC.exe
    LTTray.exe
    CiscoJabber.exe
    IAStorIcon.exe
    wbxcOIEx.exe
    OUTLOOK.EXE
    eautomate.exe
    splwow64.exe
    eautomate.exe
    iexplore.exe
    iexplore.exe
    iexplore.exe
    ArsClip.exe
    EXCEL.EXE
    eviews.exe
    FileCoAuth.exe
    Friday, October 4, 2019 11:42 PM
  • Hi,
    Do we mean a user account is locked out on one Windows 7 by so many processes above?

    If so, we can try to delete all the credentials under:

    Control Panel\User Accounts\Credential Manager\Web Credentials and Windows Credentials



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 7, 2019 6:22 AM
  • Hi,
    If this question has any update or is this issue solved? Also, for the question, is there any other assistance we could provide?


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Wednesday, October 9, 2019 2:39 AM
  • The above list of processes that are running at/around the same time the account lockout event occurs.

    There is no entry in the event logs showing WHAT process is causing the domain account to be locked out.

    Wednesday, October 9, 2019 9:27 PM
  • Hi,

    Can we try to delete all the credentials on this Win 7
    under:
    Control Panel\User Accounts\Credential Manager\Web Credentials and Windows Credentials?

    Then check if it helps.


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 10, 2019 10:26 AM
  • Hi,
    I am just writing to see if this question has any update. If anything is unclear, please feel free to let us know.
    Thanks for your time and have a nice day!


    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, October 14, 2019 9:00 AM
  • Hi,
    Would you please tell me how things are going on your side. If you have any questions or concerns about the information I provided, please don't hesitate to let us know.



    Best Regards,
    Daisy Zhou

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, October 17, 2019 7:22 AM
  • Hi,

    Can we try to delete all the credentials on this Win 7
    under:
    Control Panel\User Accounts\Credential Manager\Web Credentials and Windows Credentials?

    Then check if it helps.


    Best Regards,
    Daisy Zhou


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    In my initial post I stated I cleared all the saved credentials in the vault/credential manager.
    Friday, October 18, 2019 4:56 PM
  • I went ahead and reimaged the affected machine. I hate to "give up" but I couldn't find another solution to locate what was using her old credentials.
    • Marked as answer by curryjasonl Friday, October 18, 2019 5:22 PM
    Friday, October 18, 2019 5:21 PM
  • Hi,
    Thank you for your update and sharing. I am glad that the problem has been resolved. 

    As always, if there is any question in future, we warmly welcome you to post in this forum again. 



    Best Regards,
    Daisy Zhou

    针对Windows 2008/2008R2的扩展支持将于2020年结束,之后微软将不再为其提供安全更新。点击此处 或扫描二维码获取《在 Azure 上运行 Windows Server 的终极指南》,把握良机完成云迁移并实现业务现代化。

    Wednesday, October 23, 2019 12:54 AM