I'm dealing with a frustrating issue where one of our users keeps getting their Active Directory account locked out repeatedly. We've already checked and cleared the credential manager, but that didn't help. The user has switched devices multiple times, yet the problem persists. The security logs on the domain controller show audit failures every 30 seconds, and the process indicated is svchost.exe. The failure reason given is either an unknown username or a bad password, but these lockouts seem to happen after the user successfully signs in, without any password prompts afterward. I'm at a loss for what's causing these lockouts. Has anyone experienced something similar or have any ideas on how to resolve this?
5 Answers
Make sure to check the event logs for where the lockouts are coming from. A common cause could be offline files or mapped drives that are causing the system to repeatedly authenticate incorrectly.
Does the user have a mobile device? This is a common issue where after changing their password, they forget to update their email app, which continues to try logging in with the old password, leading to constant lockouts.
Exactly! We often see this with users who aren't aware that their mobile devices need password updates. It could definitely be the culprit.
It sounds like the user might be logged in on another device that’s still locked. If they changed their password on their main PC, that locked device wouldn't recognize the new password, causing lockouts. Check the event viewer on the domain controller for any clues about where the failures are coming from.
The user only has one PC and we use remote management tools to see active users on devices, so that doesn't seem to be the issue. We're still narrowing down the audit events.
I recommend downloading lockoutstatus.exe from Microsoft. It’s great for identifying which machine or service is causing the account to lock. You should check the hostname and possibly kill any sessions leading to the issue.
Yes! This tool can really simplify things. Identify the DC locking the account, check its logs, and you can usually pinpoint the offending machine.
Try using the Microsoft AD Lockout Tool. It can help you pin down where the lockout is originating from. It's super useful for tracking down problematic sources.
Agreed! Offline files can be sneaky, especially if they haven’t updated correctly to reflect the new password. It’s worth investigating.