Problem Users are being randomly locked out

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Okay people, time to put your thinking caps on. I have a very annoying problem. Users keep getting locked out, even when they are already logged in. Somehow I think it has to do with Exchange as most of the incidents happen when they are working and have outlook open. A window will pop up at random asking for username and password. The user proceeds to enter this and Exchange will not accept it. They try a couple more times and then it seems their account is locked out.

Sometimes they can just click cancel and continue on as normal, other times it pops the window up and won't let them use outlook (offline and needs password). Sometimes the user (had it happen to me randomly) can enter their password and everything is okay.

It seems to happen at random to a small group of users but there is one user that seems to get it the most. This lady came to work this morning (after being away for 5 days) and her account was locked and she couldn't even log on.

I've combed the event logs for any clues but I can't find anything related to what might cause this even though the logs are full of problem reports. I thought that some of these problems might disappear after updating the servers but it seems not to be the case. The whole server and client systems haven't had updates applied to them for a year or so before I got here and from my point of view the people that set the systems up really clusterf***ed the whole system. I've only been allowed to start updating the systems for the last month now (thanks MS for WSUS).

I'm tearing my hair out here and hoping for a little guidance.

 

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

Are those users logged on to more than 1 computer?

 

We had this issue in the last place I worked and it was found that a server in another country was infected with the conflicker virus and was randomly locking the same people out.

 

No, just the one usually. We have several 'public' pc's that are used for controlling equipment, but they have their own account that everyone uses.

We only have the one site with 38 users.

 

I've also seen examples of accounts being locked out due to the Conficker virus...

 

is it exch 2007 and outlook 2007?

 

I would sugest enforcing a password change on the domain and also looking at your smtp relaying

 

I had this exact problem with some random users and each time it was the random users account that gets locked out. This can be a replication issue as some of the DC's are not getting replicated but like others mentioned could even be the conflicker virus.

However, the way I had this fixed after resetting the users password time after time failed had to recreate their user profiles with a slightly different username on the file servers.

After of which I also enforced a password change on each of the pertaining users account and problem was solved.

Best wishes and lets know if you had another way round this

 

You are describing exactly what is happening to us at the moment.

Couple of users were getting locked out constantly and we eventually figured out there were two services running on his laptop. I can't remember the exact since i was dealing with another problems. I see what i can find out tomorrow morning.

Dave

 

nug,

from what you describe, it sounds exactly what happened with a customer running exchange 2007 and I seem to recall there was a KB/ it was resolved by installing SP2.

Are you fully patched up?

Edit, found the bookmark:

http://social.technet.microsoft.com...l/thread/6963d031-9815-429c-8cae-78e2c038352b

let us know how you get on.

 

Thanks for the suggestions guys.

Yes it is.

It seems to affect the same 4-5 users but at random. Two of the users have it less often than the other two and of these two the one that has it most often is the secretary. In the time that this has been happening the users have changed passwords at least 6 times and I have tried setting a new profile for one of them but the problem still exists.

Everyone has their own pc and if they need to use another pc (attached to a machine) then that machine has its own account so that people use that same account for that 'public' pc. This is happening when they are already logged on and working and usually in connection with outlook.

That'd be great. Thanks.

Not fully patched up yet. I've only started patching everything recently (after 2 years of no patching). I can't really tell if Exchange SP1 is there. I've seen in the installed programs that Update Rollup 4 for SP1 was installed but the version number was different to what I've found on the internet. I also installed Update Rollup 10 for SP1 and the version number stayed the same. It's also slow going with the patching as there's something in the order of 350 of the buggers to install. At the moment it's just a case of install a few, take a backup image and wait a couple of days and then repeat.

Thanks for the links. It seems to be the same as what is happening here. they also mention that the problem should have been fixed in Update Rollup 4.
I guess that I might just go the whole way straight to SP2 and bugger the fallout.

I have the AV set up to automatically do a full scan every week.

For me it doesn't seem virus related because the lady that it happens the most to has: changed her password multiple times, had the new profile and also had a new freshly installed pc. She's also very correct in how she uses the pc ie doesn't surf and only goes where she needs to on the internet. The problems usually occur when using outlook, the authentication window pops up, won't accept the credentials and eventually locks the account (while logged on and still working) so they can't use outlook anymore.

Another thing is, there are loads of error entries in the event logs on the DC and Exchange servers which might (or might not) have something to do with it. As far as I can see (from the oldest ones) they have always been there and happening. I haven't been allowed to do anything about fixing the problems as firstly they don't let me have the time and secondly they say it's running now so we don't touch it (which is why they haven't done any patching).

There are also many other problem areas but it's all hands off.

 

I doubt there's a service that's running with their credentials... but I mention it on the slight chance there is. I've seen it happen.

 

al queda





Just kidding

 

I wish it was that easy.

 

This is really doing my head in.

I recently installed a program from NetWrix that supposedly can trace the reasons for account lockouts. It showed me this morning that the lady in question's account is locked out. I looked at her user account details in AD and sure enough her account shows that it is locked. The strange thing is this time, as well as being logged in she can use outlook too. Normally if outlook asks for her credentials she gives them in, they aren't accepted and after 3 times the account seems to lock itself (although already logged on) and she cant use outlook any more until we unlock the account.

This morning she can give her credentials in, outlook accepts them and she can continue on as normal even though her account shows as locked. Looking in the logs I've found 5 events with the ID 644 which indicate bad password events. These correspond with the 5 account lockout records I see in the NetWrix program.

One difference that I see between her account and another account that was also locked is the domain controller. One account was locked showing the file server domain controller and her account shows the mail server domain controller (we have 2 DCs, one set up as file server and the other as mail server).

Is it possible that there is a communication problem between the 2 DCs?

 

My guesses would be:
-AD corruption - drop users machine off the domain and recreate user and computer accounts
-Conficker virus
-DOS - check DC
-Exchange (where do we start with this one)