I'm facing a frustrating issue with account lockouts in my organization, particularly affecting the CEO and the IT office. One account keeps getting locked out every 10 minutes. I checked the event logs and found event 4740 shows that the user's computer is the source of the lockouts. I've also ensured that there are no credentials saved in the Credential Manager, which I cleared out myself. Additionally, I removed the computer from the domain, renamed it, disabled the old PC name, and then re-added it. It's important to note that these lockouts occur even when the account is logged out, when the Ethernet cable is unplugged, or if the computer is turned off. Has anyone experienced something similar or can anyone help me troubleshoot this issue?
6 Answers
Make sure to check the properties of the AD user for any logon scripts that could be using outdated credentials. Unexpected lockouts often happen because of scripts trying to authenticate repeatedly.
Have you checked for any scheduled tasks on the computers using that account? Sometimes older tasks may still be trying to run with old credentials after a password change. Also, make sure there are no mapped drives set to connect at logon.
Good point! I haven't checked that yet but will definitely do so. Could a mounted drive be causing this?
You could also try creating a new user profile for that account. It might fix any lingering issues, especially if there's something wrong with the current profile causing these lockouts.
If all else fails, deleting the account might be a drastic but effective solution. Just make sure to back up any necessary data before doing so!
It could be a mobile device trying to authenticate with the account's credentials. I've seen similar issues where users deny having any mobile devices linked, but it turns out they didn't fully remove the account from their phone. It's worth checking!
I appreciate the suggestion, but we don't use mobile devices here. I'll keep looking for other sources.
If the PC is off and still getting locked out, it might be due to another device, like a printer, trying to authenticate using that account. A packet capture on the Domain Controller may help pinpoint exactly what's triggering the lockouts.
Thanks! I'll consider doing a packet capture if I can't solve this through other means.
I found a script using 'net use' to mount drives. I'll remove it and see if that helps.