Account constantly locked out

[sicsicsic]

We have a user who is very often reporting that she cannot check her email. Each time she calls it is because her account is locked out in AD. I went to her desk and used her password to successfully unlock windows, and establish credentials with our exchange server. Though while using her PC, I remotely checked AD and lo and behold she became locked again.

Clearly, there is something attempting to authenticate with a bad password using her user name.

I've done as much research as I can and I stumbled upon Account Lockout Tools:

http://www.microsoft.com/downloads/...9C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

Quick comment on this: Awesome package.

I have been playing with EventComb and AccountStatus and they are very, very useful.

After refreshing account status a few times I notice that the bad password attempt increases over a matter of minutes until it was locked out.

Some of the steps I have already taken:

Reinstalled Outlook.
Removed any thing saved in "manage passwords" under user account control.
Checked mapped drives to ensure access across all.

I then used EventComb to pull the security log for all events pertaining to bad password attempts and lockouts. It pulled events from our domain controller which the IP pointed to our exchange server.

So it clearly has something to do with email, I just don't get why this is happening. Are there any other steps I can perform?

 

[spidey07]

Check to make sure there aren't any services manually configured to use her username/pass to run as.

-edit-
I've also seen this happen with corrupt profiles or a manually supplied username/password on wireless authentication.

 

[seepy83]

Could be a whole bunch of scenarios at play here...

Do you have a password expiration policy?
If yes, did the user's password recently expire?
If yes, does the user ever log on from another PC?
If yes, does the user have a session that has been logged on to another PC since before they set a new password?

It's been a while since I've traced the authentication for Exchange/Outlook/OWA, but do you have OWA in your environment? If someone is trying to log on to OWA as the User, that might explain why the Failure Audits on your DC are coming from the Exchange server. Otherwise, I'm pretty sure that the Failure Audit should have the IP of the PC that it trying to open Outlook (and has a bad password stored in the Mail Profile)...it wouldn't be coming from the Exchange server. But like I said, It's been a while so I could be wrong...

 

[deaner]

I had a user, similar situation. What they had done was log into a PC, authenticated, working on machine. - Then they went and logged into a second PC. When they logged into the 2nd PC, they were prompted to change their password, they changed it.

User was working on the first PC, forgot, then kept getting locked out, due to authentication issues with the password change, as their published Citrix Apps, MS Office suite and others is set for pass-through authentication with Citrix, associated with their AD account. Just a thought...

 

[RebateMonger]

Are you saying that if the user never opens up Outlook after a password reset, then everything continues to work fine?

 

[rasczak]

I'd say it's a profile issue, or your dc has logged the passwd change, but another dc (the one she's authenticating to), has not replicated the changes.

 

[theevilsharpie]

If the account login failures are coming from your Exchange server, my guess would be either a PDA/SmartPhone that doesn't have up-to-date account information, or a separate instance of Outlook that's still using the old password (likely POP3/IMAP).

 

[netsysadmin]

I vote for a PDA/Smartphone with the wrong password. I happens all the time at our place. The phone hits the servers mutiple times in a row locking out there accounts in seconds.

John

If the account login failures are coming from your Exchange server, my guess would be either a PDA/SmartPhone that doesn't have up-to-date account information, or a separate instance of Outlook that's still using the old password (likely POP3/IMAP).