AD Account Lockout without any clear originator

Eustace Jacobs 0 Reputation points
2024-08-08T16:50:00.31+00:00

I have a remote user whose account keeps getting locked due to incorrect password attempts. Interestingly, the account locks even when the user’s phone and workstation are turned off. The Domain Controller (DC) reports the lockout, while DUO Security Authentication logs the failed request, pointing to the gateway. However, both DUO and the firewall indicate that this information is inaccurate. DUO acts as a pass-through based on the log information, and the user’s request does not appear in the firewall logs.

Windows Server 2019
Windows Server 2019
A Microsoft server operating system that supports enterprise-level management updated to data storage.
3,694 questions
Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
11,452 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,408 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 7,830 Reputation points Microsoft Vendor
    2024-08-09T08:38:52.6533333+00:00

    Hello,

    Thank you for posting in Q&A forum.

    1. Third-party application or service credential caching

    • Possible cause: The user's credentials may already be cached in a third-party application or service. These services may periodically attempt to connect to the system using outdated credentials in the background, resulting in account lockouts.

    • Solution: Check to see if any third-party services or applications are using the user's old credentials. You can find authentication attempts related to that user by analyzing the event logs and DUO logs.

    1. Mapped network drives or scheduled tasks

    • Possible cause: A mapped network drive, scheduled task, or service may be trying to connect to a domain using old credentials, causing an account lockout.

    • Solution: Users should review and update all mapped network drives, scheduled tasks, and service credentials associated with their accounts.

    1. Enforce lockout for domain policies

    • Possible cause: Policies on domain controllers (DCs) can force account lockouts after multiple failed logon attempts.

    • Solution: Ensure that the domain policy is reasonable and excludes cases of non-malicious locking. You can use the timestamp of a locked event to correlate other event logs to find the source that caused the lock.

    1. Attacks or Malware

    • Possible cause: It is possible that malware or an attacker is trying to log in using the user's credentials.

    • Solution: Use antivirus software to scan the user's workstation, phone, and all related devices. Also, check your network for unusual traffic or activity.

    1. Cached credentials and roaming profiles

    • Possible cause: If a user has a roaming profile, there may be a situation where the old credentials are not updated in the cache, resulting in an account lockout.

    • Solution: Clear the cached credentials and make sure the credentials on all devices are up to date.

    1. Deep-seated network problems

    • Possible cause: There may be configuration issues related to DUO or other gateways in the network, resulting in inconsistent information.

    • Solution: Check the gateway configuration to make sure the DUO is set up correctly. An in-depth network troubleshoot may be required.

    Next steps

    • Collect detailed logs about lockout events, including timestamps, source IPs, failed login attempts, and more.

    • Check all devices associated with the user's account to make sure there aren't any unupdated credentials or problematic apps.

    • You may need to temporarily lift the user's account lockout policy for a step-by-step lookout.

    These steps should help you pinpoint the root cause of the problem and prevent future account lockout incidents.

    I hope the information above is helpful.

    Best Regards,

    Yanhong Liu

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.