0

I have a user that gets locked out of their AD account almost daily and sometimes multiple times a day.

The account even gets locked out when they are not working. They utilize 3 different computers two of which generate the lockouts - so I know at least the devices. it seems when the user is using RDP they tend to get locked out almost immediately afterwards - but not always.

I do not have control over the DC or the AD, I have limited access to the AD and limited permissions - we are a large organization and members of my group simply say wipe them and re-image done.

I would like to know what is causing this and try to troubleshoot it to resolve it. There is specialized software loaded on these machines and it is a nightmare going through the process of getting the licenses installed and it is a real pain (plus they are older versions that are required for us to have) - so I would like to avoid that scenario.

So how can I track this down to the application ? I have searched event logs and it seems to be related to terminal services.

I have checked scheduled tasks and can not find anything. I have looked at running services and applications at startup on both machines and do not seem to find anything.

StixO
  • 101
  • 4
  • This question has been asked hundreds of times. There isn't a single cause, but you aren't going to make much progress unless the AD team is engaged. There also is nearly zero information about the environment except it *may* involve three endpoints. – Greg Askew Jul 25 '22 at 19:37

2 Answers2

0

The easiest way so far is to have access to the DC to check its log, it may give you the problematic worksation with the powershell command below:

Get-WinEvent -FilterHashtable @{logname=’security’; id=4740}

Without access to the DC server, here is a little guide which may help. Locked out account often appear if the user password has been changed and has not been updated in some client devices. They keep request authentification with old credentials. So basically you "juste" have to wipe the credentials on all of your client device in order to get rid of the phenomen. You can look :

  • on the credentials manager (in the panel control of Windows):

crediential manager windows

  • all the mobile device with something related to the AD (mailbox, any otherbox)

Since you're mentionning it, it may also be caused by a disconnect session in a terminal server somewhere in your park. If that's the case, this session still got the old credentials cached on the TS server. Just find it and close it, and you're set.

ErrySreez
  • 1
  • I know the workstations where the lockouts are coming from. There are two of them. I have cleared credential manager on both machines. I have gone to the mobile phone device. I have checked other stations that any rdp was connected to (even though they are not where the lockouts originate.) I have engaged our AD team but it is very large organization and the persons to actually enable to query for the application causing this apparently would require a change and then the query. An effort. Which is why I guess other team members say wipe them and move on. – StixO Jul 25 '22 at 23:53
  • @StixO: `I have engaged our AD team but it is very large organization and the persons to actually enable to query for the application causing this apparently would require a change and then the query.` That is not even close to reality. As I said, problems such as these there will not be progress if one or more of the teams refuses to engage. That is not a technology problem, and there is not a technology solution for it. This is something that should take minutes to investigate. – Greg Askew Jul 27 '22 at 13:01
  • @GregAskew there are processes that are prevented by policies , I know a lot of things are easy if you have access or if your organization is small enough. My comp is extremely large and the rules and restrictions are very granular. along with who owns those . I being one person the efforts they must do is more than click. Hence I look for ways to do it with out getting an act of congress. – StixO Jul 28 '22 at 02:14
0

Old credentials are clearly cached on one of these devices. Could even be if you have on-prem Exchange, for example, a cell phone with cached email credentials of the previous password trying to authenticate over and over again. Only way to solve it is if you update creds on all of this user's devices.

Brendan
  • 1
  • 2
  • Yes obviously but what app is the offending app - it is coming from something in common with the two of the three computers this user is using. And it is off hours as well. Tracking that down. – StixO Jul 28 '22 at 02:17