Incredibly weird issue

Jeetus MaximusJeetus Maximus Member Posts: 10 ■□□□□□□□□□
Hi folks,
Ill dive straight in with this one as Ive been working on it since 9am today, with little progress.
I have USER A who's account locks out without them even being logged into their machine. The user changed their password yesterday as per company policy and since then it keeps locking out after 3-5 minutes.
Platform - WIN 7 Pro 64 Bit
Server - Win Server 2008 R2 Standard


I have done the following -
Cleared credential manager - NO DIFFERENCE
Reset IE and cleared personal details during reset - NO DIFFERENCE
Tested by logging onto another machine - NO JOY
Recreated their login profile - NO DIFFERENCE
Checked for logged on terminal services accounts - NONE LOGGED IN
Connected devices ie. iPad, iPhone, Android - NONE
I have checked on our DC's and have found the following -
- System
- Provider
[ Name] Microsoft-Windows-Security-Auditing
[ Guid] {54849625-5478-4994-A5BA-3E3B0328C30D}

EventID 4776

Version 0

Level 0

Task 14336

Opcode 0

Keywords 0x8010000000000000

- TimeCreated
[ SystemTime] 2014-01-14T12:43:53.301501000Z

EventRecordID 2042599718

Correlation

- Execution
[ ProcessID] 516
[ ThreadID] 29720

Channel Security

Computer XXXXXXDC02.XXXXXXXXXXXXXX.co.uk

Security

- EventData
PackageName MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
TargetUserName USER A
Workstation XXXXXXXX
Status 0xc0000234
Kind of hit a brick wall now. Any ideas anyone?

Comments

  • tier~tier~ Member Posts: 86 ■■□□□□□□□□
    Try giving the Account Lockout Status Tool a try.

    Does this individual have any apps or services on their machine that would have been manually configured with their old credentials? A connection to a fileshare? Sharepoint portal?

    You've hit most of these but this blog post should fill in any gaps to check: Troubleshooting Active Directory account lockout issues « MSExchangeGuru.com
    Let's Connect!
    LinkedIn, Twitter, Blog
  • Jeetus MaximusJeetus Maximus Member Posts: 10 ■□□□□□□□□□
    Thanks Tier. Going through ALTools right now. Will try the blog too. Many thanks :)
  • veritas_libertasveritas_libertas Member Posts: 5,746 ■■■■■■■■■■
    Are they possibly using a smart phone or tablet with their AD credentials?
  • Jeetus MaximusJeetus Maximus Member Posts: 10 ■□□□□□□□□□
    Fixed! Altools revealed the user had left an rdp session logged on at another terminal. Funnily enough the user swore blind they had not logged in anywhere else lol. On another note, as soon as we fixed the issue I got a call from my wife to tell me her contractions had started. Off to be a dad now :)
  • zxbanezxbane Member Posts: 740 ■■■■□□□□□□
    good luck and congrats!
  • lsud00dlsud00d Member Posts: 1,571
    These mysterious lockout issues are almost always due to lingering RDP connections or cached credentials on a phone accessing either email or wifi. Good job with the quick fix and congrats on being a dad! Sending positive vibes for a safe delivery for both baby and mom.
  • colemiccolemic Member Posts: 1,569 ■■■■■■■□□□
    Congrats on becoming a Dad! And your company thanks you for fixing the account getting repeated locked. :)
    Working on: staying alive and staying employed
  • tier~tier~ Member Posts: 86 ■■□□□□□□□□
    Glad the tool worked and congrats on becoming a dad!
    Let's Connect!
    LinkedIn, Twitter, Blog
  • -hype-hype Member Posts: 165
    lsud00d wrote: »
    These mysterious lockout issues are almost always due to lingering RDP connections or cached credentials on a phone accessing either email or wifi.

    This is def true, came in here to post this.
    WGU BS IT:Network Administration
    Started: 10-1-13
    Completed: 9-21-14
    Transferred: 67 CU Completed: 54 CU
Sign In or Register to comment.