Users being randomly locked out of their accounts RRS feed

  • Question

  • Hi,

    I'm having a problem where a number of users are having their accounts locked out.  The way the lockouts are happening is a bit strange.

    The environment is a Windows 2003 functional level domain.  There are domain controllers at every office site.  There is also a domain controller hosted at a data center with a number of other servers including our proxy server, Sharepoint server, Exchange 2007, etc.  This domain controller has all the FSMO roles on it.

    The users experiencing the lockouts are geographically dispersed and have different usage patterns.  In the case of one user, we were using one web proxy product, and when we changed the user over to a different web proxy product we are testing, the frequency of the lockouts decreased.  However they would still happen.  In the case of this specific user, they would completely shut down their PC at night and when they started it up the next morning and attempted to login, their account would be immedaitely locked out.  Some users have iphones but their iphones appear to be working until the lockout happens.  The lockout times listed by the account lockout tool will be fairly erratic and at times the user normally wouldn't be active (ie. 4am, 6am, etc)

    I have tried running the account lockout status tool for these users and it will list the most recent bad password attempt being against the data center domain controller.  If there's an account lockout, it's listed against this DC too.

    I've tried putting the Microsoft Network Monitor on one user's PC for an entire morning until their account locked out again to try to get an idea of what is causing it.  The data didn't point to anything obvious.  I've also tried checking the security logs on the various DCs, I will see an event relating to the account being locked out, but not where the bad login attempts were coming from.

    A thing that might be a secondary issue is today I tried to increase the level of logging for the netlogon service on the data center DC, as I suspect this is where the problem is happening.  However, the amount of data generated was so high that the log file would fill it's default size of 20MB in a few minutes.  No users should be authenticating against this DC directly.  I did some performance logging on some counters and saw things like about 300 LDAP searches/second and about 100 LDAP client sessions.  There is also about 300 Kerberos Authentications over the same period.

    Are the figures I'm seeing from those performance counters normal?  And are there any additional troubleshooting I can do to try to resolve the account lockout issue?  Thanks.

    Thursday, December 16, 2010 7:28 AM