Solving Domain Lockouts

DeaconFrost

[H]F Junkie
Joined
Sep 6, 2007
Messages
11,582
We have one specific user who locks her account out several times a day. There's no rhyme or reason why. I've done remote sessions with her to assist in updating her password. I've cleared all cached credentials from Credential Manager. I've disabled every scheduled task that ran as her domain account. There's nothing showing in the event logs for any of her lockouts. We have Solarwinds monitoring in place that knows the lockout comes from her laptop (as opposed to her phone).

I'm completely at a loss for this, and several of us have tried with no luck. There's no pattern to the time in which she locks out.

Is there some kind of software I can load on her laptop that will give me some details, such as what applications or process is causing this to happen?
 
Wireshark on your DC's, or just check your DC logs. I've seen this before with worm malware. Once it gets a hold of a username and PW it keeps trying to authenticate while copying to other computers from who knows where. Probably using an old password of hers.
 
She doesn't have any web consoles to log in with AD credentials, but I cleared her Chrome history.
 
We have one specific user who locks her account out several times a day. There's no rhyme or reason why. I've done remote sessions with her to assist in updating her password. I've cleared all cached credentials from Credential Manager. I've disabled every scheduled task that ran as her domain account. There's nothing showing in the event logs for any of her lockouts. We have Solarwinds monitoring in place that knows the lockout comes from her laptop (as opposed to her phone).

I'm completely at a loss for this, and several of us have tried with no luck. There's no pattern to the time in which she locks out.

Is there some kind of software I can load on her laptop that will give me some details, such as what applications or process is causing this to happen?

I've actually seen this before. We had opened a ticket with Microsoft and as I recall, there is something wrong with the profile causing that.
 
  • Like
Reactions: Farva
like this
I was going to suggst wiping her profile from the PC (backup first) and recreating
 
I can see that being a potential solution. She's remote, but I believe we have LogMeIn on her laptop that would help with this. We also have Cisco AnyConnect available at the login screen for this very purpose.
 
Back
Top