Announcement

Collapse
No announcement yet.

Few domain users getting locked frequently

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Few domain users getting locked frequently

    Hi,

    Some of the domain users in our branches are getting locked quite frequently. They claim to be typing there credentials correctly but not able to find why these users are getting locked. Please help..

    Regards,
    Anishk

  • #2
    Re: Few domain users getting locked frequently

    If you are sure they are entering the credentials correctly (remembering most users have the memory of a goldfish when it comes to passwords ), I would look for cached (old) credentials such as password for web or network resources. Depending on the client OS, you should be able to see cached credentials somewhere in the advanced user properties on the local machine
    Tom Jones
    MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
    PhD, MSc, FIAP, MIITT
    IT Trainer / Consultant
    Ossian Ltd
    Scotland

    ** Remember to give credit where credit is due and leave reputation points where appropriate **

    Comment


    • #3
      Re: Few domain users getting locked frequently

      Ok Osian,

      Is there any way to delete the cached credentials for computers belonging in to a group ?


      Regards,
      Anishk


      ==================


      Originally posted by Ossian View Post
      If you are sure they are entering the credentials correctly (remembering most users have the memory of a goldfish when it comes to passwords ), I would look for cached (old) credentials such as password for web or network resources. Depending on the client OS, you should be able to see cached credentials somewhere in the advanced user properties on the local machine

      Comment


      • #4
        Re: Few domain users getting locked frequently

        Any particular OS?
        Tom Jones
        MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
        PhD, MSc, FIAP, MIITT
        IT Trainer / Consultant
        Ossian Ltd
        Scotland

        ** Remember to give credit where credit is due and leave reputation points where appropriate **

        Comment


        • #5
          Re: Few domain users getting locked frequently

          Hi,

          This is happening for both win 7 and win xp. I checked the stored credential manager but it is empty. Is there any way to remove a particular username password saved/stored from all the computers ?
          These users are getting locked out very fast even without the user trying to login.




          Regards,
          Anishk


          Originally posted by Ossian View Post
          Any particular OS?

          Comment


          • #6
            Re: Few domain users getting locked frequently

            Originally posted by Anishk View Post
            These users are getting locked out very fast even without the user trying to login.
            Well, then somebody else is trying to log in using the wrong password.

            Are you running services that are exposed to the Internet, like webmail, VPN, or remote desktop services? Do the accounts in question have usernames that are particularly common, so that they are likely to exist in a list used by a brute force or dictionary based password cracking tool?

            Turn on auditing and check the Security log the next time an account is locked out. That should tell you from where the login attempt originated.

            Comment


            • #7
              Re: Few domain users getting locked frequently

              you can look at services.msc (from the "run" command) and look at how the services log on. sort them by logon and see if any happen to coincide with the users in question...

              you could also put a keylogger on the users or a packet capture to find out where the failed credentials are being passed.
              its easier to beg forgiveness than ask permission.
              Give karma where karma is due...

              Comment


              • #8
                Re: Few domain users getting locked frequently

                If I remember rightly, been a while since I've had to look, you can search the security event logs on a DC and it should tell you which system is causing this.

                There is also a tool call Account Lockout Status which should help.

                http://www.microsoft.com/en-us/downl....aspx?id=15201

                Comment


                • #9
                  Re: Few domain users getting locked frequently

                  wullieb1 is on point, this is true.

                  you can look for failure audits in the security logs of any of your AD servers and see who is passing bad what. you can filter the events to focus on one user in particular or a group or whatever...

                  really shouldnt be that hard to find out which one is the culprit.
                  its easier to beg forgiveness than ask permission.
                  Give karma where karma is due...

                  Comment


                  • #10
                    Re: Few domain users getting locked frequently

                    I had this same issue a couple of weeks ago on my work PC. I was being locked out almost immediately after unlocking my account.

                    I checked services.msc and also checked the credentials being used by the various scheduled tasks - all were fine

                    I run Spiceworks on my computer using my account to authenticate PC connections etc and had changed my domain password while on holiday. I changed the password in Spiceworks after the lockouts started but it made no difference. I had to uninstall Spiceworks after which the lockouts stopped.

                    So, do you have any software running that uses those users' credentials to gain network access? What do the affected users have in common?
                    A recent poll suggests that 6 out of 7 dwarfs are not happy

                    Comment


                    • #11
                      Re: Few domain users getting locked frequently

                      I've used this before http://www.netwrix.com/account_lockout_examiner.html along with Microsoft'S tool LockoutStatus.exe to help narrow things down.

                      The typical reasons for account lockouts i've found are:
                      -Old cached credentials in credential manger.
                      -PDA's/E-Mail with old password.
                      -Mapped drives.
                      -services
                      -scheduled tasks running under stale credentials,
                      -disconnected remote desktop/citrix sessions,
                      -processes running under a locked account.
                      Please remember to award reputation points if you have received good advice.
                      I do tend to think 'outside the box' so others may not always share the same views.

                      MCITP -W7,
                      MCSA+Messaging, CCENT, ICND2 slowly getting around to.

                      Comment


                      • #12
                        Re: Few domain users getting locked frequently

                        What about "Account Lockout Status tool" ?
                        If issue still persist, download "Get-LockedOut Location" script from below given technet reference. It will help you to find the exact location and root-cause of this weird account locked-out issue : gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab


                        Regards,
                        Andrew
                        lepide.com

                        Comment


                        • #13
                          Re: Few domain users getting locked frequently

                          do their passwords expire via policy?
                          Are they forgetting to update their mobile phones checking emails ?
                          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                          Comment

                          Working...
                          X