Local XP account randomly locks

2

0

So there's a computer on my network at work that has a local account on it. This computer is on the network but not on the domain. The account is used to create gift cards. At least once a week this local account gets locked out. I find this odd because the password is so simple (it might as well be password). It gets locked up at night, so no one is tampering with it. Nothing logs into it remotely. (e.g. scanner for network drives) The local account is used for nothing else, just Windows XP.

Recently the last time this computer was used was on Friday afternoon then put away for a few days. It was then used this morning, or attempted to. But the account was locked. No one was messing with it in the interim.

Any thoughts?

Jason T.

Posted 2011-12-28T13:35:50.877

Reputation: 61

4Open Security Settings (secpol.msc) → Local Policies and enable auditing of logon events (just "logon", not "account logon"). When the account gets locked out, check Event Viewer (eventvwr.msc) → Security. It will show you at least the time and machine name; there might be remote login attempts. – user1686 – 2011-12-28T13:46:47.853

Good idea! Thanks for the tip. This will give me a good clue as to what's going on. – Jason T. – 2011-12-28T13:51:06.153

Now that I think about it though, would a failed remote login attempt lock out an account on a computer that's not even turned on? – Jason T. – 2011-12-28T13:53:16.400

1About that - perhaps enable auditing for system events (boot/shutdown) as well? Also, I just remembered: Is this computer using the "Welcome" screen? It may be causing lockouts, since it always tries logging in with a blank password before asking for the real one. – user1686 – 2011-12-28T14:31:56.423

Actually yeah it is. I checked the event logs since Audit Logging was already enabled. She had two failed logon attempts and the third entry was a Lockout notification. – Jason T. – 2011-12-28T16:20:49.520

Well, then try raising the lockout limit to ... 6-10 attempts or so. The way Welcome screen works (the only way it can work), a passworded account will always cause at least one failed attempt as soon as you click on it. – user1686 – 2011-12-28T16:44:04.833

Answers

2

A few ideas.

  1. Check scheduled tasks have the correct credentials.
  2. Enable login auditing if it's not already enabled (refer to http://technet.microsoft.com/en-us/library/cc787567.aspx)

  3. Disable account lockout (it's disabled on my system, so I guess that's the default):

    Administrative Tools -> Local Security Settings -> Account Policies -> Account Lockout Policy -> Account Lockout Threshold

Chris Adams

Posted 2011-12-28T13:35:50.877

Reputation: 283

Asked: 2011-12-28T13:35:50.877

Viewed: 1 192 times

Active: 2012-02-02T14:55:03.133