Incredibly weird issue
Jeetus Maximus
Member Posts: 10 ■□□□□□□□□□
Hi folks,
Ill dive straight in with this one as Ive been working on it since 9am today, with little progress.
I have USER A who's account locks out without them even being logged into their machine. The user changed their password yesterday as per company policy and since then it keeps locking out after 3-5 minutes.
Platform - WIN 7 Pro 64 Bit
Server - Win Server 2008 R2 Standard
I have done the following -
Cleared credential manager - NO DIFFERENCE
Reset IE and cleared personal details during reset - NO DIFFERENCE
Tested by logging onto another machine - NO JOY
Recreated their login profile - NO DIFFERENCE
Checked for logged on terminal services accounts - NONE LOGGED IN
Connected devices ie. iPad, iPhone, Android - NONE
I have checked on our DC's and have found the following -
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2014-01-14T12:43:53.301501000Z
EventRecordID 2042599718
Correlation
- Execution
[ ProcessID] 516
[ ThreadID] 29720
Channel Security
Computer XXXXXXDC02.XXXXXXXXXXXXXX.co.uk
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName USER A
Workstation XXXXXXXX
Status 0xc0000234
Kind of hit a brick wall now. Any ideas anyone?
Ill dive straight in with this one as Ive been working on it since 9am today, with little progress.
I have USER A who's account locks out without them even being logged into their machine. The user changed their password yesterday as per company policy and since then it keeps locking out after 3-5 minutes.
Platform - WIN 7 Pro 64 Bit
Server - Win Server 2008 R2 Standard
I have done the following -
Cleared credential manager - NO DIFFERENCE
Reset IE and cleared personal details during reset - NO DIFFERENCE
Tested by logging onto another machine - NO JOY
Recreated their login profile - NO DIFFERENCE
Checked for logged on terminal services accounts - NONE LOGGED IN
Connected devices ie. iPad, iPhone, Android - NONE
I have checked on our DC's and have found the following -
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}
EventID 4776
Version 0
Level 0
Task 14336
Opcode 0
Keywords 0x8010000000000000
- TimeCreated
[ SystemTime] 2014-01-14T12:43:53.301501000Z
EventRecordID 2042599718
Correlation
- Execution
[ ProcessID] 516
[ ThreadID] 29720
Channel Security
Computer XXXXXXDC02.XXXXXXXXXXXXXX.co.uk
Security
- EventData
PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName USER A
Workstation XXXXXXXX
Status 0xc0000234
Kind of hit a brick wall now. Any ideas anyone?
Comments
-
tier~ Member Posts: 86 ■■□□□□□□□□Try giving the Account Lockout Status Tool a try.
Does this individual have any apps or services on their machine that would have been manually configured with their old credentials? A connection to a fileshare? Sharepoint portal?
You've hit most of these but this blog post should fill in any gaps to check: Troubleshooting Active Directory account lockout issues « MSExchangeGuru.com -
Jeetus Maximus Member Posts: 10 ■□□□□□□□□□Thanks Tier. Going through ALTools right now. Will try the blog too. Many thanks
-
veritas_libertas Member Posts: 5,746 ■■■■■■■■■■Are they possibly using a smart phone or tablet with their AD credentials?
-
Jeetus Maximus Member Posts: 10 ■□□□□□□□□□Fixed! Altools revealed the user had left an rdp session logged on at another terminal. Funnily enough the user swore blind they had not logged in anywhere else lol. On another note, as soon as we fixed the issue I got a call from my wife to tell me her contractions had started. Off to be a dad now
-
lsud00d Member Posts: 1,571These mysterious lockout issues are almost always due to lingering RDP connections or cached credentials on a phone accessing either email or wifi. Good job with the quick fix and congrats on being a dad! Sending positive vibes for a safe delivery for both baby and mom.
-
colemic Member Posts: 1,569 ■■■■■■■□□□Congrats on becoming a Dad! And your company thanks you for fixing the account getting repeated locked.Working on: staying alive and staying employed
-
-hype Member Posts: 165These mysterious lockout issues are almost always due to lingering RDP connections or cached credentials on a phone accessing either email or wifi.
This is def true, came in here to post this.WGU BS IT:Network Administration
Started: 10-1-13
Completed: 9-21-14
Transferred: 67 CU Completed: 54 CU