Solving Domain Lockouts

[DeaconFrost]

We have one specific user who locks her account out several times a day. There's no rhyme or reason why. I've done remote sessions with her to assist in updating her password. I've cleared all cached credentials from Credential Manager. I've disabled every scheduled task that ran as her domain account. There's nothing showing in the event logs for any of her lockouts. We have Solarwinds monitoring in place that knows the lockout comes from her laptop (as opposed to her phone).

I'm completely at a loss for this, and several of us have tried with no luck. There's no pattern to the time in which she locks out.

Is there some kind of software I can load on her laptop that will give me some details, such as what applications or process is causing this to happen?

[GardeningWithSilicon]

There should be error logs on the ADC for her user. You can read more about the types of logs generated here: https://www.ultimatewindowssecurity.com/securitylog/book/page.aspx?spid=chapter4

 

As an aside: you could reimage or issue a new pc for her to use and decom the current one for now. This would rule out her machine being the source of the problem.

[jake9000]

Download a copy of lockoutstatus.exe and find out which DC is originating the lockout. Then hit up that controller for security event ID 4740. At the bottom of this alert should be a 'caller computer' which is the device generating the lockout. If you dont have any of those, event 4776 might have extra information. 

 

Once you have decided on a naughty device, check these common sources: 

Security event 4625: Will give you a failure reason and a caller process. 

Google up the caller process and find out what it does. 

 

If no caller process, here are places to look: 

 

Services: sort the window by 'log on as' and make sure no services are running as the user. 

Task Scheduler. Same deal. Make sure no tasks are running as the user. 

Email: Some non-outlook clients use basic authentication... update the password here anytime the domain password changes. 

Windows credential manager: Just delete all of them. 

RADIUS wifi? Forget the corporate wifi network and re-add it. Same goes for the smartphone if applicable. 

 

No caller computer: 

Disable ActiveSync and OWA in the user's exchange properties and see if they go away. If they do, check any and every device they get email on. 

Enable NTLM auditing on the domain controllers and then check the NTLM logs after the next lockout. 

 

3rd party tool: 

ManageEngine ADAuditPlus. Grab the demo and let it find the lockout. You might have to talk to a sales droid first but it's a good tool. 

Lepide Auditor: Also pretty good.