Constant Locking of AD User Account

[Arran]

Anyone ever come across this. We run a network with three Win2k domain controllers, a couple of NT Servers and about 140 NT/2000/XP workstations. Everything runs smoothly except for one user account. This account repated locks the user out of the network on avaerage ten times a day. We can recitify this by just unlocking the user from AD but its a tad annoying! When the user can log on he is OK till he logs off - and then when he tries to log back on 8 times out of ten his account will be locked. We unlock him and then away he goes until next time he logs off/back on...

I have checked his account and nothing looks out of the ordinary. He runs XP Pro on his workstation.

Anyone else ever come across this problem - or have any idea what the problem could be?

 

[kprowell]

I am having that very same problem with one user. Have you found anything yet?

 

[Kressmark]

The user is probably logged on to several computers, or he has connected to a share from another computer. Ask the user to log off EVERYWHERE and then unlock / reset the password.

Best Regards
Mattias Kressmark

 

[tcambridge]

Here are a couple of things to check also:

1) Did he have persistent mapped drives and recently changed his password? When mapping drives, sometimes the password is cached and when the login password is changed, the mapped drive connection is still using the old password.

2) Did he install any applications that required a new service to run? If so, did he use his own user account to start and run the service?

Good Luck!

Tim
Certified AND Qualified

 

[M0gwai]

On his machine go to users in control panel. Open his user name and click on manage network passwords. If his password has been changed on the server make sure any entries here are updated too.

 

[NickFerrar]

In addition to the above mentioned things to check for (logged onto multiple PCs etc) I recently had this problem and after about 2 weeks of investigation I tracked it down to a user having disconnected from a Terminal Service sessions rather than logged off. Following them changing their password this disconnected session still gets polled once in a while and will lock the account as the credentials are no longer correct. This would happen a couple of times a day though not the 10 you mention.

The way I tracked it down was to enable auditing on the domain controllers and as soon as the account got locked check through the audit logs and see from which computer the lockout originated. Once you know the computer that the problem originates on you can narrow down the possibilities (in my case once I realised it was a terminal server causing the problem the reason why became clear).

 

[kprowell]

I've tried all of that and it his account still gets locked out several times a day. Any other thoughts?

 

[NickFerrar]

Have you enabled auditing to track where the lockout is originating from?

 

[kprowell]

Yes I did. I found where it is coming from but not why. We have an "admin" machine that runs several monitoring/reporting tools and he uses it now and then but no drives are mapped or processes/services with his ID are running. Here is the error...

Pre-authentication failed:
User Name: "USER NAME"
User ID: Additional Information [GUID]: {S-1-5-21-1438600032-379729542-324685044-1937}
Service Name: krbtgt/"Domain Name"
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: "IP ADDRESS"

 

[tcambridge]

Is it only happening on that particular machine? Have you tried deleting his profile from that machine and recreating it?

If it is only happening on that machine, there may very well be an app or service using his credentials to run. Try searching the registry for his username using REGEDIT and making note of any services or applications associated with his account.

Good Luck!

Tim
Certified AND Qualified

 

[cj92713696]

How do you disable account lockouts from happening? I'm having a similiar problem and I just want to disable account lockouts.

Thanks,
CJ

 

[Alshrim]

anyone get a resolution to this one?? I have a similar issue here...

It is a Kerberos error that is shown in the event logs.. but Why is it failing??

Alshrim
System Administrator
MCSE, MCP+Internet

 

[Alshrim]

here's the error I get:

Event Type: Failure Audit
Event Source: Security
Event Category: Account Logon
Event ID: 675
Date: 10/14/2004
Time: 10:53:57 AM
User: NT AUTHORITY\SYSTEM
Computer: DomainController
Description:
Pre-authentication failed:
User Name: BROSS-DESKTOP$
User ID: domainname\BROSS-DESKTOP$
Service Name: krbtgt/domain.NET
Pre-Authentication Type: 0x2
Failure Code: 0x18
Client Address: 192.168.130.148

=======================

The curious part for me here is that BROSS-DESKTOP is the name of the machine that the client is logging into - not his account !!

So why is his server sending this information to the DC ..

He logs in locally on this machine - and when this error occurs .. eventually his domain account is disabled .. and people cannot browse to his shares...

This is totally bizarre - i know we aren't alone - but i have yet to see a resolution...

Anyhow have any ideas?

Alshrim
System Administrator
MCSE, MCP+Internet

 

[chrisukcov]

Not a fix i know but ive done a VBS script to check if the accounts locked and if so, unlock it. Set it as a scheduled task every 5-10 mins........

'// Name: unlockuser.vbs
'// Description: Script to unlock user accounts

Option Explicit

'//dim WshShell
'//Set WshShell = WScript.CreateObject("WScript.Shell")

dim UsrObj

'// Insert domain name on the following line
Const domain="PUT DOMAIN NAME HERE"

'// Prompt for User ID to unlock
'//userid = inputbox("Enter the User ID:", "Unlock User", "PUT ACCOUNT HERE")
'//WshShell.SendKeys "{ENTER}"

CONST userid="PUT ACCOUNT HERE"

Set UsrObj = GetObject("WinNT://" & domain & "/" & userid)
If UsrObj.IsAccountLocked = TRUE Then
UsrObj.IsAccountLocked = FALSE
UsrObj.SetInfo
End If

'// Display popup window on console indicating operation is complete
'//wscript.echo "Account " & domain & "\" & userid & " unlocked." & chr(13) & "Note: It may take as long as 15 minutes for this to take effect.

 

[Alshrim]

Cool script !

Alshrim
System Administrator
MCSE, MCP+Internet

 

[andrew2000]

Did anyone ever figure out a solution to this? We have this same issue.

Thanks,
Andrew

 

[paulhthomas]

I had this a while back and found out that it was a virus. think it was the (something like this). spybot.gen.y virus.
It disguises itself as the msn messenger exe (msnmsgr.exe). latest dats from mcafee pick it up definite, maybe worth running a full scan.

 

[bdoub1eu]

How do you enable logging of failed logon attempts...

I have 4 DC's so I assume I set this up on the domain controller security policy. Under audit policy, audit login events, I have to audit success, failure.

This should cover anyone logging in to the domain incorrectly , right?

doesn't seem to be working...In the event viewer, under security, all I have are successfull logins...Any ideas?

The dc's are getting the domain controller security policy...