AD users randomly getting locked out

C

c0rpt3ch

Weaksauce
Joined
Jun 28, 2010
Messages
91
Currently have 50 or so users on a domain. The main DC is a Dell PowerEdge 720 running Server 2008 r2 with a identical machine for the BDC. Recently we've started having issues with user accounts becoming locked out for no apparent reason.

I'm running NetWrix Account Lockout Examiner and can see when the users start accumulating 'strikes' against their accounts. I've physically watched someone lock their workstation and it still accumulates bad password counts until it gets locked out. This has me thinking it's a system thing and not a user thing (as much as I'd like to blame the users).

It only affects about a third of the users and out of those it seems to be really bad for 2 or 3 of them. I've had some instances where a user account is getting locked out every 5 minutes, then it'll work fine for hours.

I've looked to see if they had any scheduled tasks running that might causing issues but no one had anything.

I've checked windows logs but I can't see anything that stands out. I'm assuming it's a old Group Policy or something that no longer exists that their accounts are still looking for.

If anyone has any ideas on what could be causing this I'd appreciate it.
 
Look for scheduled tasks that try to run as that user, I have seen itunes put in a bunch of tasks and run every minute with a users old password and she was always complaining about being locked out lol
 
If you are running Exchange in your environment, I've seen ActiveSync devices with outdated passwords cause this behavior as well.
 
I checked scheduled tasks and didn't see anything that shouldn't be there.

We have a hosted Exchange Server for our emails. Once a user is setup their email password doesn't change so I don't think it's a sync issue with that.

I do believe it's something trying to sync back somewhere that has outdated credentials. I just need a way to track down what it is.
 
I appreciate the input from everyone.

I've checked the mapped drives and everything looks good on that end. Our users generally only have 3 or 4 mapped drives anyway and they all look good.

I will be running the Microsoft Process Monitor utility today and hopefully it'll give me something to work with.

The odd thing is it's not a a domain wide issue. It's limited to a certain group of users, all of which whose profiles are over 5 years old. My thought is maybe someone modified a old Group Policy or it's a bad cached password.
 
I really think the active sync devices was a good tip, I've seen this as well. They just keep trying to auth with the locally saved user/pass, eventually locking the account.

Also, if they're Win 7 clients, look in credential manager and remove any saved credentials for any of your domain services.
 
We STILL have this problem. We also use Netwrix. It is not as bad the past couple months. For awhile we would have 3-4 users at a time that would get locked out multiple times a day for about 2 weeks. No one could chase down the ghost. Luckily we have ~1500users so 3-4 was a small percentage.
 
I read that Conflicter can cause similar issues. I've added that to my list of stuff to work through.

I've gone ahead and re-mapped the network drives on the one user with the highest percentage of lock-outs and that didn't seem to make a difference.

We had a similar issue last year and then it tapered off until last week when it sprung back up again.
 
You must log in or register to reply here.
Back
Top