Incredibly weird issue

Hi folks,
Ill dive straight in with this one as Ive been working on it since 9am today, with little progress.
I have USER A who's account locks out without them even being logged into their machine. The user changed their password yesterday as per company policy and since then it keeps locking out after 3-5 minutes.
Platform - WIN 7 Pro 64 Bit
Server - Win Server 2008 R2 Standard

I have done the following -
Cleared credential manager - NO DIFFERENCE
Reset IE and cleared personal details during reset - NO DIFFERENCE
Tested by logging onto another machine - NO JOY
Recreated their login profile - NO DIFFERENCE
Checked for logged on terminal services accounts - NONE LOGGED IN
Connected devices ie. iPad, iPhone, Android - NONE
I have checked on our DC's and have found the following -
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4776

Version 0

Level 0

Task 14336

Opcode 0

Keywords 0x8010000000000000

- TimeCreated
[ SystemTime] 2014-01-14T12:43:53.301501000Z

EventRecordID 2042599718

Correlation

- Execution
[ ProcessID] 516
[ ThreadID] 29720

Channel Security

Computer XXXXXXDC02.XXXXXXXXXXXXXX.co.uk

Security

- EventData
PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName USER A
Workstation XXXXXXXX
Status 0xc0000234
Kind of hit a brick wall now. Any ideas anyone?

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

tier~

Try giving the Account Lockout Status Tool a try.

Does this individual have any apps or services on their machine that would have been manually configured with their old credentials? A connection to a fileshare? Sharepoint portal?

You've hit most of these but this blog post should fill in any gaps to check: Troubleshooting Active Directory account lockout issues « MSExchangeGuru.com

Jeetus Maximus

Thanks Tier. Going through ALTools right now. Will try the blog too. Many thanks

veritas_libertas

Are they possibly using a smart phone or tablet with their AD credentials?

Jeetus Maximus

Fixed! Altools revealed the user had left an rdp session logged on at another terminal. Funnily enough the user swore blind they had not logged in anywhere else lol. On another note, as soon as we fixed the issue I got a call from my wife to tell me her contractions had started. Off to be a dad now

zxbane

good luck and congrats!

lsud00d

These mysterious lockout issues are almost always due to lingering RDP connections or cached credentials on a phone accessing either email or wifi. Good job with the quick fix and congrats on being a dad! Sending positive vibes for a safe delivery for both baby and mom.

colemic

Congrats on becoming a Dad! And your company thanks you for fixing the account getting repeated locked.

tier~

Glad the tool worked and congrats on becoming a dad!

-hype

lsud00d wrote: »

These mysterious lockout issues are almost always due to lingering RDP connections or cached credentials on a phone accessing either email or wifi.

This is def true, came in here to post this.