Active Directory Multiple Failed Login Attempts by same user

Nikil Lepcha 6 Reputation points
2021-10-12T10:00:15.23+00:00

In my enterprise, a single user logs-in multiple systems ( for example , keep it a count as 5 ). After the password expiry, the user changes the password with the help of IT team and logs-in in one system.
After this incident, the remaining 4 systems which the user previously logged-in trigger a bad password attempts continuously , like where 5 -10 bad password attempts for each second.

I can't figure out what is the problem ? How the systems automatically trigger a login attempt ? What should I do to stop such incidents ?

Windows for business Windows Client for IT Pros Directory services Active Directory
Windows for business Windows Server User experience Other
0 comments No comments
{count} vote

3 answers

Sort by: Most helpful
  1. Gary Reynolds 9,621 Reputation points
    2021-10-12T10:22:15.95+00:00

    Hi @Nikil Lepcha

    It looks like the user has a previous session still active or a network share or something else that is still using the old password. Have a look at this article it might help you find where the old credentials are still being used. https://nettools.net/troubleshoot-account-lockouts/

    Gary.

    1 person found this answer helpful.

  2. Gary Reynolds 9,621 Reputation points
    2021-10-12T11:11:10.467+00:00

    Hi @Nikil Lepcha

    I'm assuming that the user is logging into windows workstations or servers that are joined to an AD. The reason I ask is that by default AD will only accept the current password, it doesn't accept n-1, or n-2 passwords. This functionality only exists for computer accounts and is limited to n and n-1 passwords. Unless you have additional services installed on the DCs to support this functionality. Can you share the details of you new lockout policy.

    Are there multiple accounts that are showing this problem or just this one?

    The presents of a user profle on a machine will not cause a logon event, this will only happen if the user has started an RDP session and disconnected the session or left a machine logged on. Typically in this scenario the logon event happens as the session tries to access resources that were opened while the user was using the session, or mapped drives opened with credentials.

    You can use NetTools to identify which systems are causing the logon and see if there are any sessions still running for the user.

    Gary.

    GAry.

    1 person found this answer helpful.

  3. Gary Reynolds 9,621 Reputation points
    2021-10-12T21:13:31.163+00:00

    Hi,

    If you follow the article it will show you which machines the accounts are getting locked out from, then you can check that machine for a open session. It doesn't provide the ability to scan machines to find active sessions.

    Gary.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.