This is one of the most common questions, users are complaining that their account is being locked and they even did not type their password.
Today I will talk about this problem and how can you fix it, I saw a lot of blogs and software that report from where the account is locked, but in some cases you need to know more.
The First Question is: From where this account is being locked out ??
There are several software (Some are free and other paid) that can tell you from which computer or device this account get locked.
One of the simplest way and its free is to search in DC Security Eventlog for the following
Event ID: 4740
Event source: Microsoft Windows security auditing
In this log what you will see is this
Now we have the computer name, but where in this computer you should search, there are several places that could have the old or wrong password saved.!!, it could be :
- Map Drive
- Schedule Task
- Windows Service
- Saved credential in user Credential Manager in Control panel
- Password for Mail account that is stored on user Mobile device
- and several other location.
http://www.netwrix.com/account_lockout_troubleshooting.html (Account Lockout Examiner) for querying the computer name that causing the account lock and also perform some basic check on the target machine to analyze what may cause the lock out "schedule task, MAP Drive, Windows Services...".
Sometime its something else, not Windows Service or schedule task or any of the built in fixes. so what should you do..
In this case you will need to monitor Failed Audit for:
- Audit process tracking. ( not required but it will give you more information)
- Audit logon events.
Run Gpedit.msc on the local computer and navigate to:
Windows Settings \ Security Settings \ Local Policies \ Audit Policy
And from there you will double click on Audit logon events and put a check Success , Failure
Set back and relax, and wait for the next lockout and once it happens review Client Machine Audit log and check the failed Log you will see something like this
As you can see and in my case the process that is using the old password is Sharepoint Search component (mssdmn.exe). so simply update the password to a new password from sharepoint site.
This is the best way to get put your finger on the main problem. I hope you like this