Domain account keep getting locked out daily

thesb 1 Reputation point
2021-12-21T18:25:44.36+00:00

Hi all,

One of my user are having account locked out issue on daily basis, once per days and it always happen after he's back from lunch.

In our environment, we have MS Exchange Email and MS Teams.

In AD server security logs, it shows kerberos pre-authentication failure, failure code 0x18, pre-authentication type 2.

In exchange server security logs, it shows account locked out with 0xC0000234, caller process w3wp.exe, logon process advapi from a public IP.

I have been trying to solve this issue, any advise would be greatly appreciated.

Thanks.

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,898 questions
Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,358 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,562 questions
0 comments

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Manu Philip 16,986 Reputation points MVP
    2021-12-21T18:35:51.19+00:00

    Do you know, if the user access the mail or Teams account in mobile device? sometimes, the password might wrongly registered in the mobile device and that is leading to the account lockout. Try to reset the password from the device and see if it helps. You may also try logout and login again from the device and see it helps

    If the Answer is helpful, please click "Accept Answer" and upvote it

    0 comments
  2. Kael Yao-MSFT 37,496 Reputation points Microsoft Vendor
    2021-12-22T02:19:27.863+00:00

    Hi @thesb

    According to the security events, it seems that someone keeps trying to login this account with wrong password via IIS (ECP,OWA...) or there may be out-dated credentials cached on some devices.
    To confirm it, please also have a check in the IIS log on the Exchange server (Default path:%systemDriver%\Interpub\logs\logfiles) for the requests.

    If the public ip addresses in the events aren't legitimate, please block the ip addresses and see if the problem persists.

    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

  3. Amit Singh 4,846 Reputation points
    2021-12-22T11:43:22.373+00:00

    Either your user has a device that is still passing old/bad credentials (doesn't matter if you remove the device from exchange, it will just keep trying until your user fixes it), or some rogue entity is attempting to brute force your user's account.

    Please mark as "Accept the answer" if the above steps helps you. Your suggestion will help others also !

    0 comments