VMware Cloud Community
Thash
Contributor
Contributor
‎06-04-2013 04:05 AM

user account locks out automatically

This might be not a VMware issue as such but someone can assist if he/she have some idea on this  I have a user in whose account gets locked out immediately within 2 minutes. I am fed up unlocking his account all the time and could not find why it's happening. Our domain password policy is to get an account locked out after 3 wrong password attempts. But this user really knows his password and able to log in by one shot, but after few minutes he gets locked out for no reason I deleted his account and recreate again but the situation is the same I wonder may be there are some other applications/services are trying this account to authenticate againist Active Directory.

0 Kudos
4 Replies
ElevenB2003
Enthusiast
Enthusiast
‎06-04-2013 07:07 AM

Hi Thrash,

               This is definitely not something VMWare related.  I would be very careful re-enabling that account as it sounds as if something (or someone) is trying to bruteforce the password on that account - thus, every couple of minutes you have to re-enable it. Do you have any log file/event manager (Splunk, Solarwinds LEM, ect?) that you can keep an eye on to track what's going on with that account?

This probably isn't the message board to get much help with this issue but as I said, this sounds like a potentially compromised account.

0 Kudos
schepp
Leadership
Leadership
‎06-04-2013 07:30 AM

Hi,

as said this is not VMware related. You should get the Microsoft Account Lock Tools: http://www.microsoft.com/en-us/download/details.aspx?id=18465

And take a look which Domain Controller locks the account and then take a look into its logs to identify the source of the wrong password. It's often a network drive or a network printer with the wrong credentials. Windows will try to establish the connection multiple times with the wrong credentials and the account gets locked.

Regards

0 Kudos
Thash
Contributor
Contributor
‎06-04-2013 08:31 AM

Thankx Guyz  I`m aware that it might be something that is not relevant on this platform its that I`m worried and desperate about this issue.

0 Kudos
BenLiebowitz
Expert
Expert
‎06-04-2013 10:35 AM

I've found that idle RDP sessions with an old password often cause problems like this.  You can use the link posted by schepp and check out EventComb.  Here's an article on how to use it for Account Lockouts. 

http://support.microsoft.com/kb/824209

The results will give you a list of where the lockouts are occurring, from what server/ip, etc. 

Good luck!

Ben Liebowitz, VCP vExpert 2015, 2016, & 2017 If you found my post helpful, please mark it as helpful or answered to award points.
0 Kudos