Printable View
I adjusted my account lockout policy to lock a user account after 5 invlaid
attempts. Since that change yesterday, I have had to reset my account 3
times. I have logged in without making a mistake on my password. I'm thinking
there is a scheduled task somewhere using my credentials or there is someone
trying to guess my password. Is there a utility or an LDAP command that will
show where my user account is being used to log into the network? What other
ways can I use to track this down?
I would start by checking the services running on your computer for a
service running under your account, and change that password.
Also, if you are logged on anywhere with an old password, that will
cause the same problem.
Is the account logged into more than one machine or is it running a service
on the same machine? A user could have mapped drives to a resource from one
machine, on a different machine he changes his password and then the first
machine attempts to stay mapped to a drive and the password is no longer
correct and eventually locks the user out. Or after a password is changed a
service is running that attempts to authenticate with an old password.
To help try and track down where the account is getting locked out use
eventcomboMT.exe from the Account Lockout tools found out Microsoft's
website. Use the built in search AccountLockouts and search in the created
text files for the user in question.
http://www.microsoft.com/downloads/d...9-b999adde0b9e
Also, please enable netlogon logging on all the domain controllers starting
with the PDC.
http://support.microsoft.com/kb/109626/
After enabling the log and when the account gets locked out, please parse
the logs for the 6A (bad password events) and check from which computer they
are coming.
I haven't had the need to do this, if the eventcombo is used. Not saying
that he won't need it but I would suggest he try the eventcombo for
starters.
Yes, eventcomb built-in search is very helpful, in these cases, but if that
does not help this is a little advanced to go deeper, shows all the NTLM
based lockouts.
I normally do both at the same time to gather all the relevant data at the
same time.
Please try eventcomb first.
The Netwrix account lockout examiner can prob help. It examines all schedules tasks and show where account is used and locked
Bobby is right, netwrix account lockout examiner will tell you why you are getting locked out.
I was having a problem similar to this. I am not saying this is the fix for you but here is what I had.
User account would lock out after 5-10 minutes. At first I suspected machine and services. No services were using the user account to start. Then I thought running processes on startup. Then I noticed the user would lock without even being logged into the machine. Ok easy has to be replication problem. No repl problems were found and could unlock on one domain controller and would instantly unlock on all others.
Then I noticed the end user typing on their older Andriod phone.... hmm. Are you using that to get your corporate Email? "Yes but it hasn't worked in a while". Ever since you changed your password? "Yes right around there".
Delete corporate email from phone. Waited half an hour and account didn't lock. Log into the exchange server for that account and review security logs yep there it was plain as day a bunch of failed OWA logins.
I feel stupid for not looking on the exchange server first but at least I found it. Maybe this will give you another spot to look.
Regards
J