Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

W2K3 domain user gets locked out every 24 hours?

Status
Not open for further replies.

mdcr1

IS-IT--Management
Dec 3, 2009
20
US
We have a user that got locked out of the network (couldn't access network drives, but for some reason could still send emails) at 5pm yesterday. We unlocked the account, reset the password, ran an anti-virus scan, didn't find anything. Today at 5:05 (24 hours after unlocking the account originally), user gets locked out again. Any ideas? A service that starts every 24 hours? This user says they weren't prompted to change their password in the last couple days either. We did have a DC go down four days ago and needed to transfer FSMO roles to a new server and add DNS to this new server as well, but no one else on the entire network (150 user) has experienced any issues like this. Thanks for any help you can offer in advance!
 
Check the security logs on the DC to see if there is a job or service trying to authenticate against the account. It should tell you what machine the login is coming from as well.
 
Checked the event viewer and there is also an entry in the Application log that shows an error with an event ID of 1053, source of Userenv (Windows cannot determine the user or computer name, Group policy processing aborted) for the last two nights at around 5:00pm....
 
I had checked that link previously, and we went through and cleaned up AD by removing the old server and adding the IRPStackSize registry key on that problem computer/user's computer. On the new server, we did find an error & warning specifically mentioning that problem user at the same time as they were getting locked out, and eventid.net referenced the fact that one of the DCs might have old information on it...still don't know why it's only at 5pm that it's happening, but we will see if any of the things we did today have fixed it shortly
 
that day was the last day this error happened, we ran NTDSUtil.exe tool to manually remove the dead server from AD and then forced replication for all the other servers. At 5pm that next night, the user did not get locked out, and hasn't since. Every now and then, we'll still get a machine that can't log on, saying "the domain could not be contacted" but we've ended up logging in off the network, plugging back in the network cord, then flushing and registering the dns in the IPCONFIG command, so it may still have some network issues, but for the most part, we've resolved that original problem...Thanks!
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top