Few domain users getting locked frequently

Home Forums Microsoft Networking and Management Services Active Directory Few domain users getting locked frequently

This topic contains 12 replies, has 10 voices, and was last updated by Avatar bluewolf6976 5 years, 6 months ago.

Viewing 13 posts - 1 through 13 (of 13 total)
  • Author
    Posts
  • Avatar
    Anishk
    Participant
    #163960

    Hi,

    Some of the domain users in our branches are getting locked quite frequently. They claim to be typing there credentials correctly but not able to find why these users are getting locked. Please help..

    Regards,
    Anishk

    Avatar
    Ossian
    Moderator
    #189754

    Re: Few domain users getting locked frequently

    If you are sure they are entering the credentials correctly (remembering most users have the memory of a goldfish when it comes to passwords :twisted:), I would look for cached (old) credentials such as password for web or network resources. Depending on the client OS, you should be able to see cached credentials somewhere in the advanced user properties on the local machine

    Avatar
    kgoering
    Member
    #386584

    Re: Few domain users getting locked frequently

    Ok Osian,

    Is there any way to delete the cached credentials for computers belonging in to a group ?

    Regards,
    Anishk

    ==================

    Ossian;284948 wrote:
    If you are sure they are entering the credentials correctly (remembering most users have the memory of a goldfish when it comes to passwords :twisted:), I would look for cached (old) credentials such as password for web or network resources. Depending on the client OS, you should be able to see cached credentials somewhere in the advanced user properties on the local machine
    Avatar
    Ossian
    Moderator
    #189756

    Re: Few domain users getting locked frequently

    Any particular OS?

    Avatar
    kgoering
    Member
    #386587

    Re: Few domain users getting locked frequently

    Hi,

    This is happening for both win 7 and win xp. I checked the stored credential manager but it is empty. Is there any way to remove a particular username password saved/stored from all the computers ?
    These users are getting locked out very fast even without the user trying to login.

    Regards,
    Anishk

    Ossian;284968 wrote:
    Any particular OS?
    Avatar
    universal
    Member
    #388690

    Re: Few domain users getting locked frequently

    Anishk;285738 wrote:
    These users are getting locked out very fast even without the user trying to login.

    Well, then somebody else is trying to log in using the wrong password.

    Are you running services that are exposed to the Internet, like webmail, VPN, or remote desktop services? Do the accounts in question have usernames that are particularly common, so that they are likely to exist in a list used by a brute force or dictionary based password cracking tool?

    Turn on auditing and check the Security log the next time an account is locked out. That should tell you from where the login attempt originated.

    Avatar
    James Haynes
    Member
    #252061

    Re: Few domain users getting locked frequently

    you can look at services.msc (from the “run” command) and look at how the services log on. sort them by logon and see if any happen to coincide with the users in question…

    you could also put a keylogger on the users or a packet capture to find out where the failed credentials are being passed.

    Avatar
    wullieb1
    Moderator
    #244824

    Re: Few domain users getting locked frequently

    If I remember rightly, been a while since I’ve had to look, you can search the security event logs on a DC and it should tell you which system is causing this.

    There is also a tool call Account Lockout Status which should help.

    http://www.microsoft.com/en-us/download/details.aspx?id=15201

    Avatar
    James Haynes
    Member
    #252062

    Re: Few domain users getting locked frequently

    wullieb1 is on point, this is true.

    you can look for failure audits in the security logs of any of your AD servers and see who is passing bad what. you can filter the events to focus on one user in particular or a group or whatever…

    really shouldnt be that hard to find out which one is the culprit. ;)

    Blood
    Blood
    Moderator
    #336540

    Re: Few domain users getting locked frequently

    I had this same issue a couple of weeks ago on my work PC. I was being locked out almost immediately after unlocking my account.

    I checked services.msc and also checked the credentials being used by the various scheduled tasks – all were fine

    I run Spiceworks on my computer using my account to authenticate PC connections etc and had changed my domain password while on holiday. I changed the password in Spiceworks after the lockouts started but it made no difference. I had to uninstall Spiceworks after which the lockouts stopped.

    So, do you have any software running that uses those users’ credentials to gain network access? What do the affected users have in common?

    Avatar
    uk_network
    Member
    #307942

    Re: Few domain users getting locked frequently

    I’ve used this before http://www.netwrix.com/account_lockout_examiner.html along with Microsoft’S tool LockoutStatus.exe to help narrow things down.

    The typical reasons for account lockouts i’ve found are:
    -Old cached credentials in credential manger.
    -PDA’s/E-Mail with old password.
    -Mapped drives.
    -services
    -scheduled tasks running under stale credentials,
    -disconnected remote desktop/citrix sessions,
    -processes running under a locked account.

    Avatar
    bluewolf6976
    Member
    #390194

    Re: Few domain users getting locked frequently

    What about “Account Lockout Status tool” ?
    If issue still persist, download “Get-LockedOut Location” script from below given technet reference. It will help you to find the exact location and root-cause of this weird account locked-out issue : gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab

    Regards,
    Andrew
    lepide.com

    tehcamel
    tehcamel
    Moderator
    #359769

    Re: Few domain users getting locked frequently

    do their passwords expire via policy?
    Are they forgetting to update their mobile phones checking emails ?

Viewing 13 posts - 1 through 13 (of 13 total)

You must be logged in to reply to this topic.