Active Directory | User keeps getting locked out

[jackaustin]

Hey,

I have an AD account that keeps getting locked automatically after a few minutes. The user is able to log in on initial unlocking of the account but gets locked out there after. I have checked my account lockout policy and this is fine. Not something I've come across.

Any thoughts or ideas?

Thank you in advance.

[AzureToad]

Are you getting logon failures in the Security event logs?
If so, do you have a service trying to run with the user's credentials?
How about a scheduled task?

[Stoic Joker]

The logs will tell a story, rapid failures = under attack; every few minutes (constant) = old device with expired password.

Many other options exist, but those two are the most common.

[x16wda]

If there was a password change recently then usually a phone, people don't ever remember to change the password there also. Also go into credentials manager (control panel) and cleat the stuff out. but look at the 4740 security event for the machine name, usually (not always) there's one listed.

For tougher cases you can turn on netlogon logging on the dc (google it, and don't forget to set a size value, 32mb should be fine but i think it's in bytes) and check the log, that can help identify indirect causes, the log is in windows\debug\netlogon.log which is renamed to .bak when it's full.

[BGM]

Maybe delete that account and create for them a new one. 

I think the idea of some service trying to log in is most likely.  Maybe they set up a backup program using their AD login and later changed their password, causing the service to fail its login perpetually.

[Deozaan]

This thread was started by a spammer who later edited their post to add spam links to it. The spam has been removed. But instead of just deleting the entire thread and the helpful replies along with it, I'm locking the thread.

[wraith808]

We should probably move it too. I figured it was spam, but let it go. But the Screenshot captor forum isn't the place for this thread, I think.