Windows user account gets automatically locked

22
2014-07
  • vdboor

    One of the user accounts on a Windows 2003 server is frequently locked. Each time the "Account is locked" (roughly translated) checkbox is enabled in the Account Properties -> Account tab. The event viewer only mentions that the account is locked, or that I've unlocked it.

    However, I don't see any message why the account gets locked in the first place. Are there know reasons why an account gets locked, or is there a way to find out why this happens?

  • Answers
  • Francois Wolmarans

    It sounds like someone or a process is trying to login to the account and keeps locking it. You need to enable auditing of failed login attempts.

    If your machine is on a domain you can do the following: Audit Active Directory Objects in Windows Server 2003

    If your machine is not on a domain, try the following: Logging Failed Log-in Attempts

    This should give you an idea of the machine/process that is trying to login as that user.

  • ThatGraemeGuy

    There are a number of common causes.

    • Users who use suspend on laptops and take them on/off the domain.
    • People who leave RDP sessions logged on and change their password subsequent to logging on.
    • Users who logon to more than one machine at a time and change their password.
    • Old credentials stored in user accounts > advanced.
    • Scheduled tasks or services with old/incorrect credentials.
  • vdboor

    We finally managed to find the cause:

    • The local user account has the same name as the server account, but has a different password.

    Windows mixes the accounts/passwords somewhere. Changing one of the usernames fixed the problem.


  • Related Question

    Windows 7 client, 2003 Server, user account locked out repeatedly and repeatably
  • TessellatingHeckler

    I have a Windows 7 laptop (domain member), and when I connect a VPN to the office, within 5-10 minutes the main file server/domain controller reports a failed logon for the user account, then 3, then 5, then the user account locks.

    It happens with no extra software running, so it's not an Outlook problem, for instance.

    I have been through control panel and cleared out the Windows and .Net password cache. There are no mapped printers, there is a mapped drive but it appears to work, and there are no scheduled tasks I can find which run so often. I have reset the user's password and put the new one on the laptop.

    I have also put Wireshark on the laptop, but all that can see is "encrypted traffic" going over the VPN.

    A friend has said there are issues with Windows 7 and Windows 2003 Server, e.g. with the LM hash settings which needs a hotfix. He was quite vague and there's another user with Windows 7 for whom this doesn't happen.

    My suspicion is that it's Windows doing this, not a third party installed program.... but how can I dig into this further and find what's causing it?

    ****Update: I have disconnected the mapped drive, and the problem still happened - 4 login failures within two minutes of connecting the VPN to the office.

    Event logs on the server shows Source: Security, Category: Account Logon, ID 675, Pre-authentication failed. Username: (computer-name)$, Service Name: krbtgt/domain.fqdn.example.org, failure code: 0x19

    Followed by Event Security / 680 / Account Logon, MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 / Error Code: 0xC000006A Account logoff / Unknown user name or bad password (both repeat 4 times)

    Update

    I think I have it - the VPN username is the same as the Windows account username, but the passwords are different (because the VPN connects to a firewall, not a Windows server), however when accessing network resources Windows seems to be trying the VPN credentials first - because the account name is the same, the password failures cause the Windows account to become locked.

    I've changed it so the VPN uses a different username and in a few minutes of testing, that seems to workaround it at least.

    Would be interested if anyone knows why the (Windows 7 PPTP) VPN might behave like this and if there's an official way to stop it.


  • Related Answers
  • sysadmin1138

    I have seen this happen when someone has left himself or herself logged in to another system using the same AD account. We had a rough time here with one such example. We ended up looking in the security logs on the Domain Controllers to figure out where the user had left herself logged in. Once we found out where that was we logged the user out and everything went back to normal.

    I have not heard of the Win 7 / Server 2003 issue. I regularly use a Win 7 machine to administer my 40+ Server 2003 and 2008 boxes. But that's not to say this isn't the cause.

    Also, I've seen a couple times when a vpn connection is unstable, and a user has the credentials saved, it may attempt to authenticate each time that the connection is dropped. This could potentially result in such a situation.

    Good luck :)

  • RobM

    Dennis raises a good point. The other way I've seen this happen is that you have 3rd party applications or something (3rd party or not) installed as a service that has been given the credentials and is repeatedly using them to attempt to connect to something.

  • TessellatingHeckler

    As my last update - I think I have it - the VPN username is the same as the Windows account username, but the passwords are different (because the VPN connects to a firewall, not a Windows server), however when accessing network resources Windows seems to be trying the VPN credentials first - because the account name is the same, the password failures cause the Windows account to become locked.

    I've changed it so the VPN uses a different username and in a few minutes of testing, that seems to workaround it at least.

  • sysadmin1138

    Windows can sometimes record a failed login if a station attempting to log in and the server can't reach a mutually agreeable encryption setting, or worse, agree on one mistakenly (thus generating a login failure) before falling back to another one.

    By default Windows 7 is set to "Send NTLMv2 response only". The Server 2003 server may be set to "Send LM & NTLM - use NTLMv2 session security if negotiated". A bug in the protocol negotiations can produce the errored logins you are experiencing. The hotfix your friend mentioned is probably this one:

    http://support.microsoft.com/kb/893318

    As a workaround (and probably why that other Win7 machine is working) you can change your local security policy to work around it:

    Search for "Local Security Policy". You can also find it under admin-tools in the Control Panel. Open it.

    Browse to Local Policies -> Security Options.

    In the list will be "Network Security: LAN Manager Authentication Level".

    It will probably be set to "Send NTLMv2 response only". Change it to "Send LM & NTLM - use NTLMv2 session security if negotiated".

    There is a good reason why Microsoft changed the default on this, so once the VPN server gets updated you'll want to set it back.