Solving Domain Lockouts

Discussion in 'Operating Systems' started by DeaconFrost, Aug 1, 2019.

  1. DeaconFrost

    DeaconFrost [H]ardForum Junkie

    Messages:
    11,026
    Joined:
    Sep 6, 2007
    We have one specific user who locks her account out several times a day. There's no rhyme or reason why. I've done remote sessions with her to assist in updating her password. I've cleared all cached credentials from Credential Manager. I've disabled every scheduled task that ran as her domain account. There's nothing showing in the event logs for any of her lockouts. We have Solarwinds monitoring in place that knows the lockout comes from her laptop (as opposed to her phone).

    I'm completely at a loss for this, and several of us have tried with no luck. There's no pattern to the time in which she locks out.

    Is there some kind of software I can load on her laptop that will give me some details, such as what applications or process is causing this to happen?
     
  2. bigdogchris

    bigdogchris [H]ard as it Gets

    Messages:
    17,875
    Joined:
    Feb 19, 2008
    Wireshark on your DC's, or just check your DC logs. I've seen this before with worm malware. Once it gets a hold of a username and PW it keeps trying to authenticate while copying to other computers from who knows where. Probably using an old password of hers.
     
  3. Farva

    Farva Shens!

    Messages:
    35,292
    Joined:
    Feb 3, 2004
    Did you clear credentials from her browsers?
     
  4. DeaconFrost

    DeaconFrost [H]ardForum Junkie

    Messages:
    11,026
    Joined:
    Sep 6, 2007
    She doesn't have any web consoles to log in with AD credentials, but I cleared her Chrome history.
     
  5. Dan_D

    Dan_D [H]ard as it Gets

    Messages:
    54,258
    Joined:
    Feb 9, 2002
    I've actually seen this before. We had opened a ticket with Microsoft and as I recall, there is something wrong with the profile causing that.
     
    Farva likes this.
  6. dbwillis

    dbwillis [H]ardness Supreme

    Messages:
    7,537
    Joined:
    Jul 9, 2002
    I was going to suggst wiping her profile from the PC (backup first) and recreating
     
    jlbenedict likes this.
  7. DeaconFrost

    DeaconFrost [H]ardForum Junkie

    Messages:
    11,026
    Joined:
    Sep 6, 2007
    I can see that being a potential solution. She's remote, but I believe we have LogMeIn on her laptop that would help with this. We also have Cisco AnyConnect available at the login screen for this very purpose.