Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

User Account Locked from another PC?


  • Please log in to reply
7 replies to this topic

#1 johnnybiggles

johnnybiggles

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 18 July 2012 - 04:52 PM

A user on our network noticed one day that his account was getting locked out randomly and not by means of his own activity [he has administrative privileges, so this issue is a big concern]. He would already be logged on to his PC doing normal activities, and suddenly his phone would alert him that emails could not sync. The reason why, he found out, was because his user account was locked (Active Directory network locks users account after 3 bad attempts), even while logged in at his workstation (if he logged out or the screensaver kicks in, he would not be able to log back in since it would be locked). Logs and timing have shown that when the Network Admin account logs into a different PC - on one specific PC (not any other so far from what we can tell) - his account gets locked out. We've removed any account profiles of his that were once on there, he rarely uses that PC if at all anyway, we have Symantec Endpoint Protection running in realtime on it, we've run MalwareBytes (full scan), TDSSKiller, the system is fully patched and up to date security wise, and there are no viruses or alerts found from any of them or anything else out of the ordinary. Here's the kicker... when this first started happening, the other PC (where the net admin would log on) did not even have SP1 on it since it hadn't been patched/updated in some time (Win 7 32bit)(it did have an up-to-date antivirus program running at all times, however), so when I finally patched/updated it (this is after scanning and not finding anything), it suddenly stopped. Then, today, it suddenly started happening AGAIN, the same exact time the net admin logged in (and there were no issues when logging in as net admin on that PC). Nothing out of the ordinary had been done with or to the other PC since that update, no alerts were raised and it's been used several times (under the net admin account) without issue.

Has anyone ever seen anything like this? Is there some efficient simple tool/utility that can monitor or detect failed (or successful for that matter) login attempts (in plain clear English) from computers on the network? Something that gives details as to why this is happening, where it's coming from and some idea of how to stop and prevent it? Any help would be appreciated. Thanks.

Edited by hamluis, 24 July 2012 - 09:56 AM.
Moved from Win 7 to Windows NT - Hamluis.


BC AdBot (Login to Remove)

 


#2 johnnybiggles

johnnybiggles
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 24 July 2012 - 09:51 AM

Anyone? By the way, our Domain Controller is Windows Server 2008, if that makes any difference. Is there some kind of log that might tell me something about this or provide a starting investigation point?

#3 Firefoxthebomb

Firefoxthebomb

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA -- Texas
  • Local time:07:03 AM

Posted 24 July 2012 - 10:44 AM

Just a thought....

Are there any mapped drives on the computer in question that were mapped manually using the credentials of the said user that were tagged to reconnect at log-on? This can happen if this is so and if the user has changed his password recently.

firefoxsig-resized.jpg.b57936275b99d45f7

Dell Precision T7810, Win10 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620v4 CPUs, Dual 8 Core Processors, 32GB Ram,
E5-2620v4 @ 2.10GHz X 2, AMD FirePro W4100 with 4 Screens, 500GB SSD Boot Drive,
Raid-1 Dual 2TB Sata 10000 rpm Hard Drives, DVD Burner, IE11, Opera, MBAM, MBSB, MBAE


#4 johnnybiggles

johnnybiggles
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 24 July 2012 - 12:15 PM

There are external drives (local) but permanently attached via eSATA cables that are not connected using his account and he has not changed his password in at least a month, I believe. Other than that, no.

#5 Firefoxthebomb

Firefoxthebomb

  • Members
  • 457 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA -- Texas
  • Local time:07:03 AM

Posted 24 July 2012 - 02:18 PM

How about network printers that were installed using his credentials?

firefoxsig-resized.jpg.b57936275b99d45f7

Dell Precision T7810, Win10 64bit fully updated, Symantec Endpoint Protection,
Watchguard Firewall, Intel Xeon E5-2620v4 CPUs, Dual 8 Core Processors, 32GB Ram,
E5-2620v4 @ 2.10GHz X 2, AMD FirePro W4100 with 4 Screens, 500GB SSD Boot Drive,
Raid-1 Dual 2TB Sata 10000 rpm Hard Drives, DVD Burner, IE11, Opera, MBAM, MBSB, MBAE


#6 The_Outkast

The_Outkast

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Wayne, IN
  • Local time:08:03 AM

Posted 24 July 2012 - 05:51 PM

Run the following command from a Run windows (windows key + R)

rundll32.exe keymgr.dll, KRShowKeyMgr

See if there are any cached credentials for the account you are having problems with. If so, remove them.

P.S. You can also access cached credentials by going to control panel > user accounts > manage your credentials.

#7 johnnybiggles

johnnybiggles
  • Topic Starter

  • Members
  • 35 posts
  • OFFLINE
  •  
  • Local time:08:03 AM

Posted 25 July 2012 - 02:34 PM

Run the following command from a Run windows (windows key + R)

rundll32.exe keymgr.dll, KRShowKeyMgr

See if there are any cached credentials for the account you are having problems with. If so, remove them.

P.S. You can also access cached credentials by going to control panel > user accounts > manage your credentials.

This seemed to do the trick... but what is the difference between running ^^that command and removing the credentials and removing them in the Credential Manager (Control Panel)? The credentials were cleared via the Credential Manager and I also recall trying to remove that other default Windows Live ID but that one keeps coming back even if you delete it. Same thing happens when you do it through that command also. That one is not so much a problem but how are the 2 methods different? I also find it strange that it did not occur for a while then suddenly started up again...

#8 The_Outkast

The_Outkast

  • Members
  • 161 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Ft. Wayne, IN
  • Local time:08:03 AM

Posted 25 July 2012 - 05:42 PM

To be honest, I've never figured out what the difference between the two are.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users