Hello,
Thank you for posting in Q&A forum.
- Third-party application or service credential caching
• Possible cause: The user's credentials may already be cached in a third-party application or service. These services may periodically attempt to connect to the system using outdated credentials in the background, resulting in account lockouts.
• Solution: Check to see if any third-party services or applications are using the user's old credentials. You can find authentication attempts related to that user by analyzing the event logs and DUO logs.
- Mapped network drives or scheduled tasks
• Possible cause: A mapped network drive, scheduled task, or service may be trying to connect to a domain using old credentials, causing an account lockout.
• Solution: Users should review and update all mapped network drives, scheduled tasks, and service credentials associated with their accounts.
- Enforce lockout for domain policies
• Possible cause: Policies on domain controllers (DCs) can force account lockouts after multiple failed logon attempts.
• Solution: Ensure that the domain policy is reasonable and excludes cases of non-malicious locking. You can use the timestamp of a locked event to correlate other event logs to find the source that caused the lock.
- Attacks or Malware
• Possible cause: It is possible that malware or an attacker is trying to log in using the user's credentials.
• Solution: Use antivirus software to scan the user's workstation, phone, and all related devices. Also, check your network for unusual traffic or activity.
- Cached credentials and roaming profiles
• Possible cause: If a user has a roaming profile, there may be a situation where the old credentials are not updated in the cache, resulting in an account lockout.
• Solution: Clear the cached credentials and make sure the credentials on all devices are up to date.
- Deep-seated network problems
• Possible cause: There may be configuration issues related to DUO or other gateways in the network, resulting in inconsistent information.
• Solution: Check the gateway configuration to make sure the DUO is set up correctly. An in-depth network troubleshoot may be required.
Next steps
• Collect detailed logs about lockout events, including timestamps, source IPs, failed login attempts, and more.
• Check all devices associated with the user's account to make sure there aren't any unupdated credentials or problematic apps.
• You may need to temporarily lift the user's account lockout policy for a step-by-step lookout.
These steps should help you pinpoint the root cause of the problem and prevent future account lockout incidents.
I hope the information above is helpful.
Best Regards,
Yanhong Liu
============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.