Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Domain Admin Account Gets Locked from Old Computer


  • Please log in to reply
3 replies to this topic

#1 forkman00

forkman00

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Local time:06:41 PM

Posted 17 April 2017 - 09:28 AM

Hi all, first post.

 

We have a domain admin who periodically gets his AD account locked through no action of his own. The security logs indicate that his account is being locked by his old computer (W10x64), which was cleaned up and redeployed to a different user.

 

His user profile was removed prior to redeployment and we think anything related to his domain admin account was removed. We ran disk cleanup/CCleaner on the machine and deleted some obsolete program files. But his account continues to become locked out.

 

Interestingly, there are no failed logon events (ID 4625) generated in the logs, only the lockout event (ID 4740).

 

Any idea why this is happening?

 

Thanks



BC AdBot (Login to Remove)

 


#2 Kilroy

Kilroy

  • BC Advisor
  • 3,335 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Launderdale, MN
  • Local time:05:41 PM

Posted 17 April 2017 - 01:26 PM

Welcome to Bleeping Computer.

 

Redeployment should include reimaging to prevent issues like this one.  Reimaging also ensures a know install.

 

It may be possible that something the Admin installed on the machine is attempting to use his credentials for something, either file or web access would be my guess.


Edited by Kilroy, 17 April 2017 - 01:26 PM.


#3 chadatcoderedcomp

chadatcoderedcomp

  • Members
  • 16 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Washington
  • Local time:03:41 PM

Posted 17 April 2017 - 03:05 PM

Could always attempt a Windows Clean boot in an attempt to rule out any third party applications causing issues. If all goes well, simply turn on a few at a time, wait and watch, repeat until you find the culprit.

 

Windows Clean Boot -                         https://support.microsoft.com/en-us/kb/929135

 

-Chad

 

chad [at] coderedcomputing.com



#4 MarcJones1125

MarcJones1125

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:03:41 PM

Posted 29 May 2018 - 09:11 PM

You want to take a look at event id 4740 on your domain controller.

Here is a script you can try. https://thesysadminchannel.com/get-account-lock-out-source-powershell/


Edited by MarcJones1125, 29 May 2018 - 09:24 PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users