user account locking out in AD

Hello forum,

I have a user that keeps getting locked out of his profile every 15 minutes. I have downloaded software from netwrix (Account Lockout Examiner Console) which is pointing to a PC that the user has used in the past.

His profile is not under Users and Settings. Is there a better place to look regarding who has their password stored on a machine? Maybe even somewhere in the registry that keeps domain profiles and passwords that I can browse through.

It’s very frustrating knowing its coming from said PC and not knowing enough to solve the issue. It feels like im 5 clicks away from nailing this.
Kai.

Find more posts tagged with

Free for TechExams community: Cybersecurity salary guide

Compare cert salaries and plan your next career move

Button

Comments

GAngel

Download Account Lockout and Management Tools from Official Microsoft Download Center

Also go on his machine and check his machine does not have a saved pw this is usually the issue.
win 7 > ctrl panel > user acct > manage credentials.

BradleyHU

^^^
I was gonna suggest LockOutStatus too....

cruwl

There are a few posts about this exact issue here with a lot of good trouble shooting in them. He could have a service set to run as his account, or a scheduled task ect.

Kai123

The PC he is using is "PC01" and the PC being flagged is "PC03". He is definately not logged onto PC03 but the lockout software says he is. On PC01, his credentials are set in windows (his username and password). That should actually be the problem, and it would make sense if the software was flagging PC01 instead of PC03.

I will delete his local password settings tomorrow morning, and that should hopefully solve the issue. It makes sense, since no-one should have "local" stored password settings when they are logging in via the domain.

colemic

As a test you could just try unplugging PC03 and seeing if his acct still gets locked out, then do the same w/ PC01. That will definitely tell you which PC is caching old credentials.

Kai123

colemic wrote: »

As a test you could just try unplugging PC03 and seeing if his acct still gets locked out, then do the same w/ PC01. That will definitely tell you which PC is caching old credentials.

PC03 is a critical machine. I had thought about logging him out but the software was correct in the first place, I was just looking in the wrong place on the machine.

It was PC03 though, found his password credentials in "manage network passwords". The other system admins are very happy with the piece of software I found, since before they would create a new account entirely. This way is much more faster.

LeifAlire

Use EventCombMT.exe from Account Management Tools from Microsoft. If the lockout is coming from within your network you will find it using that tool.

BradleyHU

There's also Qradar from IBM....