I'm dealing with a frustrating issue at my workplace that affects the CEO and my IT team. There are certain user accounts that keep getting locked out every 10 minutes. I've checked the event viewer for event ID 4740, and it indicates that the user's own PC is the culprit. I've already cleared the Credential Manager, removed the account from the domain, and even renamed the PC before adding it back. This happens even when the account is logged out, the ethernet cable is unplugged, or the PC is switched off. I really need assistance with this!
5 Answers
This sounds super interesting. Just to clarify, you're getting sign-in events from the DC showing that the user's PC is the source, even if the PC is powered off? That definitely seems strange.
Have you checked if there's any scheduled task on the PC that might be trying to use old credentials? Sometimes, if a user changes their password, a scheduled task still carrying the old credentials could cause these lockouts.
I haven't yet. I'll definitely look into the scheduled tasks.
Check the user's account properties for any logon scripts. Sometimes there are hardcoded credentials in there that can cause issues like this. If there’s a command that mounts a drive on login, you might want to remove it and test again.
I did notice a 'net use' command for network drive mounting; I’ll be removing that.
I've seen this issue a lot in the past. One common culprit is a mobile device that still has the account linked. Sometimes people deny having their account saved on their phone, but it can keep authenticating and locking the account. Maybe check if anyone has a mobile device causing this?
Thanks for the suggestion! But my org doesn't use mobile devices.
Make sure to verify that the source is indeed the PC and not some other device.
Try logging in from a different PC to see if the problem persists. It might be related to the user's profile rather than their computer.
Good idea! I’ll definitely give that a shot.
Yes, I witnessed it myself; the lockouts occurred even when the PC was offline.