Problem Users are being randomly locked out

Discussion in 'Software' started by nugget, Jun 1, 2010.

  1. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Okay people, time to put your thinking caps on. I have a very annoying problem. Users keep getting locked out, even when they are already logged in. Somehow I think it has to do with Exchange as most of the incidents happen when they are working and have outlook open. A window will pop up at random asking for username and password. The user proceeds to enter this and Exchange will not accept it. They try a couple more times and then it seems their account is locked out.

    Sometimes they can just click cancel and continue on as normal, other times it pops the window up and won't let them use outlook (offline and needs password). Sometimes the user (had it happen to me randomly) can enter their password and everything is okay.

    It seems to happen at random to a small group of users but there is one user that seems to get it the most. This lady came to work this morning (after being away for 5 days) and her account was locked and she couldn't even log on.

    I've combed the event logs for any clues but I can't find anything related to what might cause this even though the logs are full of problem reports. I thought that some of these problems might disappear after updating the servers but it seems not to be the case. The whole server and client systems haven't had updates applied to them for a year or so before I got here and from my point of view the people that set the systems up really clusterf***ed the whole system. I've only been allowed to start updating the systems for the last month now (thanks MS for WSUS).

    I'm tearing my hair out here and hoping for a little guidance.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  2. Theprof

    Theprof Petabyte Poster

    4,607
    83
    211
    Are those users logged on to more than 1 computer?
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA
  3. michael78

    michael78 Terabyte Poster

    2,085
    29
    141

    We had this issue in the last place I worked and it was found that a server in another country was infected with the conflicker virus and was randomly locking the same people out.
     
    Certifications: A+ | Network+ | Security+ | MCP | MCDST | MCTS: Hyper-V | MCTS: AD | MCTS: Exchange 2007 | MCTS: Windows 7 | MCSA: 2003 | ITIL Foundation v3 | CCA: Xenapp 5.0 | MCITP: Enterprise Desktop Administrator on Windows 7 | MCITP: Enterprise Desktop Support Technician on Windows 7
    WIP: Online SAN Overview, VCP in December 2011
  4. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    No, just the one usually. We have several 'public' pc's that are used for controlling equipment, but they have their own account that everyone uses.



    We only have the one site with 38 users.
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  5. PPD2387

    PPD2387 Byte Poster

    149
    9
    37
    I've also seen examples of accounts being locked out due to the Conficker virus...
     
    Last edited: Jun 1, 2010
  6. dazza786

    dazza786 Megabyte Poster

    758
    30
    67
    is it exch 2007 and outlook 2007?
     
    Certifications: MCP (271, 272, 270, 290, 291, 621, 681, 685), MCDST, MCTS, MCITP, MCSA, Security+, CCA(XA6.5)
  7. craigie

    craigie Terabyte Poster

    3,020
    174
    155
    I would sugest enforcing a password change on the domain and also looking at your smtp relaying
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  8. onoski

    onoski Terabyte Poster

    3,120
    51
    154
    I had this exact problem with some random users and each time it was the random users account that gets locked out. This can be a replication issue as some of the DC's are not getting replicated but like others mentioned could even be the conflicker virus.

    However, the way I had this fixed after resetting the users password time after time failed had to recreate their user profiles with a slightly different username on the file servers.

    After of which I also enforced a password change on each of the pertaining users account and problem was solved.

    Best wishes and lets know if you had another way round this:)
     
    Certifications: MCSE: 2003, MCSA: 2003 Messaging, MCP, HNC BIT, ITIL Fdn V3, SDI Fdn, VCP 4 & VCP 5
    WIP: MCTS:70-236, PowerShell
  9. JK2447
    Highly Decorated Member Award 500 Likes Award

    JK2447 Petabyte Poster Administrator Premium Member

    Top Poster
    of the Month

    7,261
    975
    318
    I'll bet its because users are leaving themselves logged on, their password is expiring and asking them to change it when they log onto another machine, then when they log onto another computer their password doesn't work and they lock themselves out.
     
    Certifications: VCP4, 5, 6, 6.5, 6.7, 7, 8, VCAP DCV Design, VMConAWS Skill, Google Cloud Digital Leader, BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, CCA (XenApp6.5), MCSA 2012, VSP, VTSP
    WIP: ServiceNow Certified System Administrator Certification
  10. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,724
    552
    364
    Anything in the security logs on the DC?
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  11. Dave_unemployed

    Dave_unemployed Nibble Poster

    57
    0
    14
    You are describing exactly what is happening to us at the moment.

    Couple of users were getting locked out constantly and we eventually figured out there were two services running on his laptop. I can't remember the exact since i was dealing with another problems. I see what i can find out tomorrow morning.

    Dave
     
    Certifications: A+, N+, MCP and MCDST
    WIP: 70-680
  12. Boycie
    Honorary Member

    Boycie Senior Beer Tester

    6,281
    85
    174
    Certifications: MCSA 2003, MCDST, A+, N+, CTT+, MCT
  13. Sparky
    Highly Decorated Member Award 500 Likes Award

    Sparky Zettabyte Poster Moderator

    10,724
    552
    364
    This.

    Also worth a running a AV scan on the PCs that are playing up.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) MS-900 AZ-900 Security+ Network+ A+
    WIP: Microsoft Certs
  14. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    Thanks for the suggestions guys. :thumbleft

    Yes it is.


    It seems to affect the same 4-5 users but at random. Two of the users have it less often than the other two and of these two the one that has it most often is the secretary. In the time that this has been happening the users have changed passwords at least 6 times and I have tried setting a new profile for one of them but the problem still exists.


    Everyone has their own pc and if they need to use another pc (attached to a machine) then that machine has its own account so that people use that same account for that 'public' pc. This is happening when they are already logged on and working and usually in connection with outlook.


    That'd be great. Thanks.


    Not fully patched up yet. I've only started patching everything recently (after 2 years of no patching). I can't really tell if Exchange SP1 is there. I've seen in the installed programs that Update Rollup 4 for SP1 was installed but the version number was different to what I've found on the internet. I also installed Update Rollup 10 for SP1 and the version number stayed the same. It's also slow going with the patching as there's something in the order of 350 of the buggers to install. At the moment it's just a case of install a few, take a backup image and wait a couple of days and then repeat. :cry:

    Thanks for the links. It seems to be the same as what is happening here. they also mention that the problem should have been fixed in Update Rollup 4. :dry
    I guess that I might just go the whole way straight to SP2 and bugger the fallout.


    I have the AV set up to automatically do a full scan every week.

    For me it doesn't seem virus related because the lady that it happens the most to has: changed her password multiple times, had the new profile and also had a new freshly installed pc. She's also very correct in how she uses the pc ie doesn't surf and only goes where she needs to on the internet. The problems usually occur when using outlook, the authentication window pops up, won't accept the credentials and eventually locks the account (while logged on and still working) so they can't use outlook anymore.

    Another thing is, there are loads of error entries in the event logs on the DC and Exchange servers which might (or might not) have something to do with it. As far as I can see (from the oldest ones) they have always been there and happening. I haven't been allowed to do anything about fixing the problems as firstly they don't let me have the time and secondly they say it's running now so we don't touch it (which is why they haven't done any patching).

    There are also many other problem areas but it's all hands off. :x
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  15. BosonMichael
    Honorary Member Highly Decorated Member Award 500 Likes Award

    BosonMichael Yottabyte Poster

    19,183
    500
    414
    I doubt there's a service that's running with their credentials... but I mention it on the slight chance there is. I've seen it happen.
     
    Certifications: CISSP, MCSE+I, MCSE: Security, MCSE: Messaging, MCDST, MCDBA, MCTS, OCP, CCNP, CCDP, CCNA Security, CCNA Voice, CNE, SCSA, Security+, Linux+, Server+, Network+, A+
    WIP: Just about everything!
  16. JK2447
    Highly Decorated Member Award 500 Likes Award

    JK2447 Petabyte Poster Administrator Premium Member

    Top Poster
    of the Month

    7,261
    975
    318
    I don't suppose you have a nefarious user working for you who knows or can guess other peoples user id's and is purposefully getting peoples passwords wrong to lock them out....... I haven't heard of it in our place but my friend is a civil servant and caught a woman doing exactly that....... heaven only knows why
     
    Certifications: VCP4, 5, 6, 6.5, 6.7, 7, 8, VCAP DCV Design, VMConAWS Skill, Google Cloud Digital Leader, BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, CCA (XenApp6.5), MCSA 2012, VSP, VTSP
    WIP: ServiceNow Certified System Administrator Certification
  17. Len

    Len Byte Poster

    189
    4
    37
    al queda





    Just kidding
     
    Certifications: BND IT Practitioners
    WIP: Comptia A+
  18. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224

    I wish it was that easy. :twisted:
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  19. nugget
    Honorary Member

    nugget Junior toady

    7,796
    71
    224
    This is really doing my head in.

    I recently installed a program from NetWrix that supposedly can trace the reasons for account lockouts. It showed me this morning that the lady in question's account is locked out. I looked at her user account details in AD and sure enough her account shows that it is locked. The strange thing is this time, as well as being logged in she can use outlook too. Normally if outlook asks for her credentials she gives them in, they aren't accepted and after 3 times the account seems to lock itself (although already logged on) and she cant use outlook any more until we unlock the account.

    This morning she can give her credentials in, outlook accepts them and she can continue on as normal even though her account shows as locked. Looking in the logs I've found 5 events with the ID 644 which indicate bad password events. These correspond with the 5 account lockout records I see in the NetWrix program.

    One difference that I see between her account and another account that was also locked is the domain controller. One account was locked showing the file server domain controller and her account shows the mail server domain controller (we have 2 DCs, one set up as file server and the other as mail server).

    Is it possible that there is a communication problem between the 2 DCs?
     
    Certifications: A+ | Network+ | Security+ | MCP (270,271,272,290,620) | MCDST | MCTS:Vista
    WIP: MCSA, 70-622,680,685
  20. Asterix

    Asterix Megabyte Poster

    515
    11
    52
    My guesses would be:
    -AD corruption - drop users machine off the domain and recreate user and computer accounts
    -Conficker virus
    -DOS - check DC
    -Exchange (where do we start with this one)
     

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.