user account locked up frequently

a user complained that her AD user account got locked up frequently. How can
I troubleshoot what the cause could be? Maybe she changed her password and
some software is still using the old one. Anyway, need to find a way to tell
what is the cause and where it's from (the machine).

Thanks.

Hello Chris,

Enable Auditing for logons: "Audit account logon events" and "Audit logon
events"

Maybe you can find here some additional infos, you have to check all DC's
for the events. But normally no software uses the account from users.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> a user complained that her AD user account got locked up frequently.
> How can I troubleshoot what the cause could be? Maybe she changed her
> password and some software is still using the old one. Anyway, need
> to find a way to tell what is the cause and where it's from (the
> machine).
>
> Thanks.
>

Hi Chris,

You can also try to find it using Account Lockout and Management Tools from
Microsoft.

Have a nice day!

"Chris" wrote:

> a user complained that her AD user account got locked up frequently. How can
> I troubleshoot what the cause could be? Maybe she changed her password and
> some software is still using the old one. Anyway, need to find a way to tell
> what is the cause and where it's from (the machine).
>
> Thanks.

Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.

To help try and track down where the account is getting locked out use
eventcombMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.

http://www.microsoft.com/downloads/d...displaylang=en


You can also set the debug flag on NetLogon to track authentication. "This
creates a text file on the PDC that can be examined to determine which
clients are generating the bad password attempts."
http://support.microsoft.com/kb/189541
http://support.microsoft.com/kb/109626

--
Paul Bergson
MVP - Directory Services
MCTS, MCT, MCSE, MCSA, Security+, BS CSci
2008, 2003, 2000 (Early Achiever), NT4

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Chris" <Chris@discussions.microsoft.com> wrote in message
news:7807D743-B361-4C15-AB82-37FDDBE7B757@microsoft.com...
>a user complained that her AD user account got locked up frequently. How
>can
> I troubleshoot what the cause could be? Maybe she changed her password
> and
> some software is still using the old one. Anyway, need to find a way to
> tell
> what is the cause and where it's from (the machine).
>
> Thanks.

Thanks everyone. I'll try AL Tools first. I thought with Windows 2003
domain account lockout events replicated to all domain controllers. Is that
right?

"Paul Bergson [MVP-DS]" wrote:

> Is the account logged into more than one machine or is it running a service
> on the same machine? A user could have mapped drives to a resource from one
> machine, on a different machine he changes his password and then the first
> machine attempts to stay mapped to a drive and the password is no longer
> correct and eventually locks the user out. Or after a password is changed a
> service is running that attempts to authenticate with an old password.
>
> To help try and track down where the account is getting locked out use
> eventcombMT.exe from the Account Lockout tools found out Microsoft's
> website. Use the built in search AccountLockouts and search in the created
> text files for the user in question.
>
> http://www.microsoft.com/downloads/d...displaylang=en
>
>
> You can also set the debug flag on NetLogon to track authentication. "This
> creates a text file on the PDC that can be examined to determine which
> clients are generating the bad password attempts."
> http://support.microsoft.com/kb/189541
> http://support.microsoft.com/kb/109626
>
> --
> Paul Bergson
> MVP - Directory Services
> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> 2008, 2003, 2000 (Early Achiever), NT4
>
> http://www.pbbergs.com
>
> Please no e-mails, any questions should be posted in the NewsGroup
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
> "Chris" <Chris@discussions.microsoft.com> wrote in message
> news:7807D743-B361-4C15-AB82-37FDDBE7B757@microsoft.com...
> >a user complained that her AD user account got locked up frequently. How
> >can
> > I troubleshoot what the cause could be? Maybe she changed her password
> > and
> > some software is still using the old one. Anyway, need to find a way to
> > tell
> > what is the cause and where it's from (the machine).
> >
> > Thanks.
>
>
>

Hello Chris,

Event viewer entries will not be replicated, they stay on the DC where it
was locked. If you mean the flag for the locked account, yes.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Thanks everyone. I'll try AL Tools first. I thought with Windows
> 2003 domain account lockout events replicated to all domain
> controllers. Is that right?
>
> "Paul Bergson [MVP-DS]" wrote:
>
>> Is the account logged into more than one machine or is it running a
>> service on the same machine? A user could have mapped drives to a
>> resource from one machine, on a different machine he changes his
>> password and then the first machine attempts to stay mapped to a
>> drive and the password is no longer correct and eventually locks the
>> user out. Or after a password is changed a service is running that
>> attempts to authenticate with an old password.
>>
>> To help try and track down where the account is getting locked out
>> use eventcombMT.exe from the Account Lockout tools found out
>> Microsoft's website. Use the built in search AccountLockouts and
>> search in the created text files for the user in question.
>>
>> http://www.microsoft.com/downloads/d...D=7AF2E69C-91F
>> 3-4E63-8629-B999ADDE0B9E&displaylang=en
>>
>> You can also set the debug flag on NetLogon to track authentication.
>> "This creates a text file on the PDC that can be examined to
>> determine which clients are generating the bad password attempts."
>> http://support.microsoft.com/kb/189541
>> http://support.microsoft.com/kb/109626
>>
>> --
>> Paul Bergson
>> MVP - Directory Services
>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>> 2008, 2003, 2000 (Early Achiever), NT4
>> http://www.pbbergs.com
>>
>> Please no e-mails, any questions should be posted in the NewsGroup
>> This posting is provided "AS IS" with no warranties, and confers no
>> rights.
>>
>> "Chris" <Chris@discussions.microsoft.com> wrote in message
>> news:7807D743-B361-4C15-AB82-37FDDBE7B757@microsoft.com...
>>
>>> a user complained that her AD user account got locked up frequently.
>>> How
>>> can
>>> I troubleshoot what the cause could be? Maybe she changed her
>>> password
>>> and
>>> some software is still using the old one. Anyway, need to find a
>>> way to
>>> tell
>>> what is the cause and where it's from (the machine).
>>> Thanks.
>>>

Meinolf,
is logon/logoff event got replicated to each DC in Windows 2003 domain?
Maybe that's the one wasn't replicated but now is.

"Meinolf Weber" wrote:

> Hello Chris,
>
> Event viewer entries will not be replicated, they stay on the DC where it
> was locked. If you mean the flag for the locked account, yes.
>
> Best regards
>
> Meinolf Weber
> Disclaimer: This posting is provided "AS IS" with no warranties, and confers
> no rights.
> ** Please do NOT email, only reply to Newsgroups
> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>
> > Thanks everyone. I'll try AL Tools first. I thought with Windows
> > 2003 domain account lockout events replicated to all domain
> > controllers. Is that right?
> >
> > "Paul Bergson [MVP-DS]" wrote:
> >
> >> Is the account logged into more than one machine or is it running a
> >> service on the same machine? A user could have mapped drives to a
> >> resource from one machine, on a different machine he changes his
> >> password and then the first machine attempts to stay mapped to a
> >> drive and the password is no longer correct and eventually locks the
> >> user out. Or after a password is changed a service is running that
> >> attempts to authenticate with an old password.
> >>
> >> To help try and track down where the account is getting locked out
> >> use eventcombMT.exe from the Account Lockout tools found out
> >> Microsoft's website. Use the built in search AccountLockouts and
> >> search in the created text files for the user in question.
> >>
> >> http://www.microsoft.com/downloads/d...D=7AF2E69C-91F
> >> 3-4E63-8629-B999ADDE0B9E&displaylang=en
> >>
> >> You can also set the debug flag on NetLogon to track authentication.
> >> "This creates a text file on the PDC that can be examined to
> >> determine which clients are generating the bad password attempts."
> >> http://support.microsoft.com/kb/189541
> >> http://support.microsoft.com/kb/109626
> >>
> >> --
> >> Paul Bergson
> >> MVP - Directory Services
> >> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
> >> 2008, 2003, 2000 (Early Achiever), NT4
> >> http://www.pbbergs.com
> >>
> >> Please no e-mails, any questions should be posted in the NewsGroup
> >> This posting is provided "AS IS" with no warranties, and confers no
> >> rights.
> >>
> >> "Chris" <Chris@discussions.microsoft.com> wrote in message
> >> news:7807D743-B361-4C15-AB82-37FDDBE7B757@microsoft.com...
> >>
> >>> a user complained that her AD user account got locked up frequently.
> >>> How
> >>> can
> >>> I troubleshoot what the cause could be? Maybe she changed her
> >>> password
> >>> and
> >>> some software is still using the old one. Anyway, need to find a
> >>> way to
> >>> tell
> >>> what is the cause and where it's from (the machine).
> >>> Thanks.
> >>>
>
>
>

Hello Chris,

Again event log's wan't be replicated. Please describe what you define as
event.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm

> Meinolf,
> is logon/logoff event got replicated to each DC in Windows 2003
> domain?
> Maybe that's the one wasn't replicated but now is.
> "Meinolf Weber" wrote:
>
>> Hello Chris,
>>
>> Event viewer entries will not be replicated, they stay on the DC
>> where it was locked. If you mean the flag for the locked account,
>> yes.
>>
>> Best regards
>>
>> Meinolf Weber
>> Disclaimer: This posting is provided "AS IS" with no warranties, and
>> confers
>> no rights.
>> ** Please do NOT email, only reply to Newsgroups
>> ** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm
>>> Thanks everyone. I'll try AL Tools first. I thought with Windows
>>> 2003 domain account lockout events replicated to all domain
>>> controllers. Is that right?
>>>
>>> "Paul Bergson [MVP-DS]" wrote:
>>>
>>>> Is the account logged into more than one machine or is it running a
>>>> service on the same machine? A user could have mapped drives to a
>>>> resource from one machine, on a different machine he changes his
>>>> password and then the first machine attempts to stay mapped to a
>>>> drive and the password is no longer correct and eventually locks
>>>> the user out. Or after a password is changed a service is running
>>>> that attempts to authenticate with an old password.
>>>>
>>>> To help try and track down where the account is getting locked out
>>>> use eventcombMT.exe from the Account Lockout tools found out
>>>> Microsoft's website. Use the built in search AccountLockouts and
>>>> search in the created text files for the user in question.
>>>>
>>>> http://www.microsoft.com/downloads/d...yID=7AF2E69C-9
>>>> 1F 3-4E63-8629-B999ADDE0B9E&displaylang=en
>>>>
>>>> You can also set the debug flag on NetLogon to track
>>>> authentication. "This creates a text file on the PDC that can be
>>>> examined to determine which clients are generating the bad password
>>>> attempts." http://support.microsoft.com/kb/189541
>>>> http://support.microsoft.com/kb/109626
>>>>
>>>> --
>>>> Paul Bergson
>>>> MVP - Directory Services
>>>> MCTS, MCT, MCSE, MCSA, Security+, BS CSci
>>>> 2008, 2003, 2000 (Early Achiever), NT4
>>>> http://www.pbbergs.com
>>>> Please no e-mails, any questions should be posted in the NewsGroup
>>>> This posting is provided "AS IS" with no warranties, and confers no
>>>> rights.
>>>>
>>>> "Chris" <Chris@discussions.microsoft.com> wrote in message
>>>> news:7807D743-B361-4C15-AB82-37FDDBE7B757@microsoft.com...
>>>>
>>>>> a user complained that her AD user account got locked up
>>>>> frequently.
>>>>> How
>>>>> can
>>>>> I troubleshoot what the cause could be? Maybe she changed her
>>>>> password
>>>>> and
>>>>> some software is still using the old one. Anyway, need to find a
>>>>> way to
>>>>> tell
>>>>> what is the cause and where it's from (the machine).
>>>>> Thanks.