General discussion

  • Creator
    Topic
  • #2179067

    Domain Account Lockout

    Locked

    by thewrightman ·

    I have a tough one.

    My domain user account is periodically getting locked out. I have downloaded some troubleshooting tools and have found that something is causing a bad password to be thrown at the domain controller every 15 minutes exactly. It is not coming from my local workstation (I don’t think). I have no services running with my account credentials. I have no scheduled tasks running with my old password (that I can find). Security logs on the domain controller do not give enough info to diagnose the problem. And, the Netlogon.log file does not show any unusual activity.

    Here is the weird part. If I have Outlook running on my local machine, connected to the Exchange server, my account does not get locked out, and the bad password count is reset to zero pretty often. If Outlook is not running, I get locked out after the 5 bad password count is reached.

All Comments

  • Author
    Replies
    • #3135860

      Reply To: Domain Account Lockout

      by rickrbyrne ·

      In reply to Domain Account Lockout

      Could it be someone trying to hack your network?

    • #3135635

      Reply To: Domain Account Lockout

      by jc2it ·

      In reply to Domain Account Lockout

      Try running a port scanner like Ethereal for 30-45 minutes or so on the server that is recieving the bad login requests, or a promiscuous port on your network switch. You should be able to determine where the password request is comming from. Maybe an old file share, or you ran an automatic program as your login once.

      Job Cacka

      • #3135633

        Reply To: Domain Account Lockout

        by jc2it ·

        In reply to Reply To: Domain Account Lockout

        You know it could be that Outlook is trying to login to get your email while it is offline, but is using an old password. There is a checkbox in Outlook’s options that disables this “Feature”.

      • #3119535

        Reply To: Domain Account Lockout

        by thewrightman ·

        In reply to Reply To: Domain Account Lockout

        Poster rated this answer.

    • #3118869

      Reply To: Domain Account Lockout

      by rcom ·

      In reply to Domain Account Lockout

      You could have a bug that is trying to send itself out with an email client. Time to scan for virus and others.

    • #3119484

      Reply To: Domain Account Lockout

      by sgt_shultz ·

      In reply to Domain Account Lockout

      ew
      that is creepy.
      you should be able to track this down pretty well. you immediately changed your username and password, right? and locked out the old account right?
      could you be using odbc connector and have changed passwords lately or something. any scheduled tasks running?
      if you are not seeing this in security event log on server what ‘info’ are you getting there?
      do you have time synched to domain controller in your network?

    • #3119531

      Reply To: Domain Account Lockout

      by thewrightman ·

      In reply to Domain Account Lockout

      This question was closed by the author

    • #2441401

      Hello

      by agrawalpiyush ·

      In reply to Domain Account Lockout

      Hi I have been busy with IT projects hence late reply. Catching up on all the updates I suggest you

      1. Launce Procmon on the domain hosting the accounts and leave it to run, then dump the results when the lockup occurs.

      2. You will definitely need to do an out of hours/weekend investigation on the domain controller and restart it completely.

      3. Possibly create the user another account similar to the other one then migrate all his Data etc to the newly created profile/user share, then delete or disable the other account

      4. Ensure that the domain god account has accessibility for any possible sub lockouts lower down the AD hierarchy

      Hope my suggestion aids you in coming to a solution.

Viewing 5 reply threads