topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 5:33 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: Active Directory | User keeps getting locked out  (Read 2555 times)

jackaustin

  • Participant
  • Joined in 2021
  • *
  • default avatar
  • Posts: 1
    • View Profile
    • Donate to Member
  • WarningUser is banned
Active Directory | User keeps getting locked out
« on: July 12, 2021, 04:20 AM »
Hey,

I have an AD account that keeps getting locked automatically after a few minutes. The user is able to log in on initial unlocking of the account but gets locked out there after. I have checked my account lockout policy and this is fine. Not something I've come across.

Any thoughts or ideas?

Thank you in advance.
« Last Edit: July 20, 2021, 01:27 PM by Deozaan, Reason: removing spam link »

AzureToad

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 95
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Active Directory | User keeps getting locked out
« Reply #1 on: July 19, 2021, 01:29 AM »
Are you getting logon failures in the Security event logs?
If so, do you have a service trying to run with the user's credentials?
How about a scheduled task?

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Re: Active Directory | User keeps getting locked out
« Reply #2 on: July 19, 2021, 05:39 AM »
The logs will tell a story, rapid failures = under attack; every few minutes (constant) = old device with expired password.

Many other options exist, but those two are the most common.

x16wda

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 888
  • what am I doing in this handbasket?
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Active Directory | User keeps getting locked out
« Reply #3 on: July 19, 2021, 06:09 AM »
If there was a password change recently then usually a phone, people don't ever remember to change the password there also. Also go into credentials manager (control panel) and cleat the stuff out. but look at the 4740 security event for the machine name, usually (not always) there's one listed.

For tougher cases you can turn on netlogon logging on the dc (google it, and don't forget to set a size value, 32mb should be fine but i think it's in bytes) and check the log, that can help identify indirect causes, the log is in windows\debug\netlogon.log which is renamed to .bak when it's full.
vi vi vi - editor of the beast

BGM

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 562
    • View Profile
    • bgmCoder DC
    • Read more about this member.
    • Donate to Member
Re: Active Directory | User keeps getting locked out
« Reply #4 on: July 19, 2021, 08:56 AM »
Maybe delete that account and create for them a new one. 

I think the idea of some service trying to log in is most likely.  Maybe they set up a backup program using their AD login and later changed their password, causing the service to fail its login perpetually.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 9,747
    • View Profile
    • Read more about this member.
    • Donate to Member
Re: Active Directory | User keeps getting locked out
« Reply #5 on: July 20, 2021, 01:29 PM »
This thread was started by a spammer who later edited their post to add spam links to it. The spam has been removed. But instead of just deleting the entire thread and the helpful replies along with it, I'm locking the thread.

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Re: Active Directory | User keeps getting locked out
« Reply #6 on: July 21, 2021, 09:44 AM »
We should probably move it too. I figured it was spam, but let it go. But the Screenshot captor forum isn't the place for this thread, I think.