User Account Locked Out

[pmidwest]

I've been having problems with a users account getting mysteriously locked out either the user can’t log on in the mornings or not being able to access e-mail mid-day; late afternoon. I go into User Manager on the server and the account is locked out. Uncheck the lock out and everything is back to normal. Out of 17 users only one user seems to have this problem. Dose anyone know what maybe causing this? It’s not everyday that it happens but its still pretty annoying. Any help would be greatly appreciated.

Thanks

Paul

 

[Seaspray0]

Someone may be attempting to hack into the system with that username. Enable logging in the domain controller policies and set it to check failed logon attempts. If someone is attempting to break in with that username, it will show up in the log.

 

[packdragon]

Another possibility is perhaps that user used his account to run a service. When you have a service or a scheduled task, they usually need to use a user account to run. The proper way to do it is to set up an account whose password never changes for this purpose. However sometimes people, to get quicker results, use their own account. Later when they change their password, the service or scheduled task starts to fail because it can no longer access the user account using the password that was given to it. Repeated attemps by the service will lock out the account.

 

[pmidwest]

We set all accounts so that the users cannot change there passwords but this user had come to me about a month ago and requested a password change and come to think of it thats probably around the same time it started to lock out the account... but like I said it dosent happen every day just once in a while...
Thanks for the input guys... I will check the donmain controller tomorrow to see if anything is wrong there... if it dose have something to do with the services how would I go about finding out what one it is thats causing the problems? is there an easy way to get around that? or do I just have to pick through every service running on the machine?

Thanks again

Paul

 

[will1smith]

pmidwest, I to have the same problem. I have to agree with packdragon. The bigger question is whether there is a tool to identify which service or tasks is attempting access?

 

[brenlong]

This is a known issue and is apparently resolved by applying SP3 and Post-SP3 Updates.
What happens is that the incorrect password quota isn't reset by the server at the point of a successful login. Each successful attempt is incorrectly logged as an unsuccessful attempt (and that includes authentication for password protected screensavers) and when the quota is reached, the account is locked out.

However, applying the updates doesn't always work, as in one case we had.
The only solution left was to create a new account for the effected user.

 

[mrortner]

If the user is logged onto another machine before the password change and never logged off then this could also be the cause.

 

[packdragon]

I just had a little account lockout issue myself. We change our passwords on a regular basis, and once in a great while my account will be locked out repeatedly, for no apparent reason. I finally found that if you are logged into another machine, then you change your password and remain logged in to that other machine, requests to renew the ticket on that machine will fail and cause account lockouts. I found that I had forgotten to log off from one of the servers, and that was likely the cause for my lockouts.

I don't know yet of a tool you can use to track which service uses which account. It is kind of an annoying problem when you need to change passwords. I end up having to comb through the Services applet and check each service individually. The fastest thing for you to do would be to ask if that user set up any services. If you do end up combing through Services, create a document for future reference so all you have to do is scan through that instead.