User accounts getting locked out frequently

Tom Edelbrok · 15-05-2008

To all,

We have a Server 2003 network (2 Domain Controllers, 3 member servers, and
about 60 Windows XP SP2 clients). About 3 months ago we noticed that the
occasional user would get into a lockout problem after having changed their
expiring password successfully. What happens is that after changing their
password they can run fine for a while (even logging out and back in), but
then all of a sudden their account gets locked out. However, they haven't
done anything to lock it out (ie: they haven't put in a bad password three
times in succession). We unlock their account and they work fine for a day
or so, then boom - it happens again. It occurs while they are already logged
in, ie: the Internet Explorer starts looking for authentication, and their
Outlook client (for Exchange Server 2003) also looks for authentication.
Neither of these should be asking because they are logged in via Active
Directory, and secondly, the Internet Explorer uses an LDAP authentication
via a Linux box to authenticate against Active Directory. It only affects a
few people, but it affects them so severely that we have to get a solution
to the problem.

The only solution we've come up with is to rebuild the user's PC (wipe the
drive and re-install XP). Then they are fine.

We speculate that there must be some background processes (ie: java update
checker, or who knows what) that are going out to the web to search for
updates, and are somehow using the user's old password (ie: from before they
changed it). Perhaps this 'old' password is encrypted and store in the
registry someplace based upon the last time a process was successful in
accessing the web. If these background processes are failing to authenticate
a number of times then that would explain the user being locked out while
they're currently logged in.

Does this make sense? Does anyone else have any ideas? Has anyone else seen
a problem like this?

Tom Edelbrok

Adrian · 16-05-2008

Try this the next time it happens

1) remove passwords by clicking on Start => Run => type "rundll32.exe
keymgr.dll, KRShowKeyMgr" and then delete the Domain-related passords;
2) remove passwords in Internet Explorer => Tools => Internet Options =>
Content => Personal Information => Auto Complete => Clear Passwords;
3) Delete cookies in Internet Explorer => Tools => Internet Options =>
General;
4) Disconnect (note the path before disconnecting) all networks drives,
reboot, then map them again;

More often than not it is an explicite drive mapping

JohnB · 16-05-2008

Are you saying Outlook does prompt for username/password? Normally that
happens when the cached password doesn't match the password in AD.
Almost sounds like a problem with AD replication.

Try disabling cached credentials in a GPO:
Computer Configuration, Windows Setting, Local Policy, Security Options
control of "Interactive Logon: Number of previous logons to cache (in case
domain controller is not available)" to 0 logons (from the default of 10).

**Kleen13** · 23-05-2009

This is for anyone that hasn't resolved this... I had this same issue and it turned out to be a Managed Passwords issue. I never added it myself and don't know how the mail server was populated in there, but in the :
Control Panel -> User Accounts -> Advanced tab -> Manage Passwords, I had an entry for our mail server with my email address specified with a blank password. This messed up any session I wanted to have with the mail server, including Outlook, RDP, UNC, anything at all. populating the password or better yet, removing the entry fixed it. If you are on an AD domain, you don't need to set any passwords there.

**ratheesh_Nambiar** · 26-09-2010

Tnk u very much Boss.... U made my life happy... It worked for me

Originally Posted by Kleen13

This is for anyone that hasn't resolved this... I had this same issue and it turned out to be a Managed Passwords issue. I never added it myself and don't know how the mail server was populated in there, but in the :
Control Panel -> User Accounts -> Advanced tab -> Manage Passwords, I had an entry for our mail server with my email address specified with a blank password. This messed up any session I wanted to have with the mail server, including Outlook, RDP, UNC, anything at all. populating the password or better yet, removing the entry fixed it. If you are on an AD domain, you don't need to set any passwords there.