I'm facing a frustrating issue where our admin staff's Active Directory (AD) accounts are repeatedly getting locked out. The problem started after they logged into a PC at a different site (Site A) a few months ago and now, upon logging into a new PC at Site B with the same account, they find their accounts locked out daily. We've checked and confirmed that no one is trying to log in from Site A with their profile. Interestingly, Event ID 4740 shows that the lockouts are occurring at around 2 AM. Does anyone have any insights into what might be causing this?
6 Answers
It’s possible that the PC at Site A has cached an old password while Site B is using the current one, leading to conflicts.
You’re spot on; cached credentials could be the culprit. Check for any mapped network drives or services that might still be using the old credentials.
A good initial step is to reboot the PC that may be causing the lockouts. If the account still gets locked afterwards, investigate any scheduled tasks or processes that run under that account.
It sounds like there might be a service running under their account on the old PC, or maybe there’s an active session still running in the background. That could definitely cause lockouts if the service tries to authenticate.
1. A reboot might help. Sometimes after logging in and out, if a password change occurs, it won’t lock out unless there’s a lingering disconnected session trying to authenticate. This was a common issue for us with RDP until we enforced a kill policy for disconnected sessions.
2. Focus on the 2 AM lockouts; check the security logs before the failure event. They can often show the process that triggered it.
Have you checked the event logs to see which computer is generating the lockout? That could give you a clearer picture of where the issue lies.
Is there a way to check if there are any active sessions on that PC?