[-]

ArmAble@reddit (OP)

He’s been traveling again, so unfortunately not. He should be back in the office tomorrow.

[-]

danison1337@reddit

what was the actual solution? his account was logged in on another laptop?

[-]

ArmAble@reddit (OP)

Unfortunately we still haven’t figured it out. He’s been out traveling but should be back tomorrow.

[-]

Nuggetdicks@reddit

Why didn’t you gain access to the DC before all of this nonsense. Really… 🤔

[-]

Because my parent company doesn’t give us access to stuff like this. They’re strict. They’re sticklers. It was hard enough to get access to just look at the event logs. We don’t have access to top level infrastructure, like I said. I’m not an idiot. Of course that would’ve made things easier, but my parent company is in Germany, we have language barriers, time zone barriers, and they are VERY big on least privilege and security.

[-]

Finn_Storm@reddit

Did you get a fix?

[-]

ArmAble@reddit (OP)

I haven’t. He’s been out of the office traveling again. He has been using the VPN with no issues, came in briefly Monday, and was locked out as soon as he connected to our office network. Unfortunately, I was out Monday, so I couldn’t investigate. He will be in tomorrow.

[-]

ApprehensiveKing7292@reddit

run credential manager as system (using psexec) and see if their credentials are stored under the system context. I've seen this happen before even if the user isn't an admin. If there are any credentials stored there, delete them.

[-]

anon47@reddit

Yup this is what I do. Here are the step by steps for anyone else that needs it.

Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .

From a command prompt run: psexec -i -s -d cmd.exe

From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr

Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

[-]

current_thread@reddit

So what did it turn out to be?

[-]

Content-Wallaby-5704@reddit

In my org, the case is usually a disconnected session on a terminal server.

[-]

Regular_Pride_6587@reddit

Mapped drive on or cached credentials on Laptop #2

[-]

HankMardukasNY@reddit

It sounds like something wrong with a device that is on them. Usual suspect is a cell phone connected to a 802.1x SSID with wrong password. You need DC access to really investigate this, or escalate to the people who do. Turn off all of their personal devices and turn on one by one to narrow it down

[-]

rvarichado@reddit

"You need DC access to really investigate this"

This. The relevant failed login and lockout events are there for someone to look at. I'm frankly surprised someone hasn't offered to check them for you.

[-]

nostalia-nse7@reddit

Always great day when a sysadmin gets to open a ticket that’s someone else’s problem. Go OP — open a ticket with the parent company. No DC Access == investigation ticket to someone who can access DC.

Btw — email even in 365 absolutely still can have something to do with this. It’d mean though that AD is synced with Entra.

But yes, someone needs to check the event logs on the DC. Those should disclose where the culprit device is.

[-]

whocaresjustneedone@reddit

Yeah I'm really confused how "the DCs have the relevant logs I need but I don't have access to them" wasn't a thought process that led OP to get someone with access to them involved before making a reddit post...

[-]

AsleepBison4718@reddit

Because in some orgs, people get shit on for asking other teams/people for help if they haven't done enough groundwork themselves.

[-]

whocaresjustneedone@reddit

But getting to the point where you've determined you need the logs is the ground work.... OPs just a space head

[-]

Postalcode420@reddit

As they should! I deal with problems affecting 10-100s of people. If you send me a single user issue you have better have done the ground work. Im super happy to help/teach or assist you if you can show me you at least tried. Pass me an empty ticket, and you will get it right back. If you show me you reached the end of your capabilities or access. Then by all means, pass the ticket on. But there better be updates with whats been done or why its passed on to us. Even if the update us just, "same issue as ticket xxxx" Then I know you at least looked into it.

[-]

Jazzlike_Pride3099@reddit

Now I'm at L1-whatever is highest (big company but small in-house IT) but if I where to ask the level above to send me the lockout events to see where the lockout occurred and was told that I needed to spend a week trying to look locally at every possible device that could cause it instead of sending me what triggered the lookout... Then you, me and finance would have a talk

[-]

Postalcode420@reddit

I mean in this case its not really applicable, this fictitious big company of ours should have something setup to allow helpdesk to view the lockout events. Lockouts occur way to often to have to deal with this kind of questions several times a day from helpdesk about what device is causing users lockout. Especially if its a big company with many users. Just setup log export and be done with it.

They dont need access to the DC thats waaay above their paygrade. Specific logs sure, thats fine. Makes everyone more efficient.

Im just saying, in general. Do the ground work. Update the ticket with whats been tested. Dont just expect someone else to fix it. Yes, I might do it faster and better then you. But thats because i have already done the damn thing 1000 times. Now my job is to do other stuff.

[-]

Jawb0nz@reddit

I don't disagree with that philosophy, to an extent. Sometimes, lower tier team members need to be trained to do their due diligence before escalation, rather than just going to the next tier to do all the heavy lifting. It makes them better and makes the escalation smoother.

[-]

AsleepBison4718@reddit

There's a clear difference between someone chucking an empty ticket to someone and saying "Do"; and someone that's asking for help trying to figure out a problem though.

[-]

justfdiskit@reddit

“Get shit on even when they’ve done the groundwork” - FTFY.

My proudest sysadmin moments were when somebody “above” me (in seniority, definitely not competence) kept saying “it must be at your level” FOR WEEKS. When they threatened my job over getting it fixed, I went 3 levels above to get the info. got it fixed 10 minutes later (by having same “Seniors” cut and paste the exact same thing I’d been telling them for weeks) …

Yeah, even now that I’m that senior, FUCK THOSE GUYS.

[-]

AsleepBison4718@reddit

True

[-]

Saritiel@reddit

Lol, last couple places I was at I didn't have access, and getting the IAM team to actually look at and interpret those logs was like pulling teeth.

I tried to get access to just do it myself but they were adamant against it.

[-]

CARLEtheCamry@reddit

That's silly.

I got tired of having to look them up manually all the time so ended up writing a little script to scrape all the 4740's and publishes them to a sharepoint site for our helpdesk.

[-]

AlphaGeeky@reddit

That sounds hella useful. Would you mind sharing that script with me? I suppose I could also create one, but like many sr admins, time is in limited supply, plus it sounds like you've already debugged, perfected and got it working perfectly.

[-]

CARLEtheCamry@reddit

Sorry, I left that area years ago and no longer have access to the code

[-]

Brave_Promise_6980@reddit

DC’s should feed the siem - query the siem see what’s going there as any DC could be doing this, is it possible they have an RDP session somewhere that’s logged in and locked ?

[-]

architectofinsanity@reddit

gif

“Should”

[-]

hybrid_muffin@reddit

Yep. Dc will reveal the source of the lockouts so you at least know the device then you can go from there and audit the logs of the device in question.

[-]

Pyro919@reddit

Tagging onto this, I've seen people setup automated processes on server using their creds instead of a service account and when they change their password those scheduled tasks depending on the frequency and number of retries can wind up causing similar problems too. If they're in accounting, it or reporting I’d be asking about if they might have any scheduled tasks anywhere that might be using old credentials.

[-]

Jazzlike_Pride3099@reddit

WiFi on phones, outlook on phones... That's our 97% on that, we have an automated unlock on password not working cases and a standard reply on how to change those. With a disclaimer that if the users haven't recently changed password to call us to check what's going on

[-]

inamamthe@reddit

I'm very guilty of this 😅

[-]

ArmAble@reddit (OP)

Thank you! We do not have 802.1x Wi-Fi, well, we haven't in a long time. I will check to make sure he doesn't still have that old Wi-Fi network on his phone. I did send a request this morning to our parent company IT team to see if I can get a look at the DC.

[-]

BrentNewland@reddit

You don't even need access to the DC, you just need them to look up the logs for you.

The logs in question are probably only in the Security log on the Primary Domain Controller.

You need event ID 4625 with that user's name. That should tell you the source of the lockout. If it points to a router or firewall, you will need to have them look at the logs for the router/firewall.

[-]

Expensive-Bed3728@reddit

This is an easier way in powershell: $username= read-host("please enter username here") $events = Get-WinEvent -FilterHashtable @{ LogName = 'Security' ID = 4740 } -MaxEvents 1000 | Where-Object { $_.Properties[0].Value -eq '$username' }

$events | Select-Object -Property TimeCreated, @{Name='Account';Expression={$.Properties[0].Value}}, @{Name='CallerComputerName';Expression={$.Properties[1].Value}} | Select-Object *

[-]

BrentNewland@reddit

4740 is just the notification that the account was locked out.

529 Logon Failure
644 Account Locked Out
675 Pre-Authentication failed
676 Authentication Ticket request failed
681 Logon failed
4624 Logon success
4625 Account failed to log on
4648 Logon attempted with explicit credentials (e.g. Scheduled Task or Run As)
4723 Password change attempted
4724 Password reset attempted
4740 User Account locked out
4767 Account was unlocked
4768 Kerberos authentication TGT requested
4770 Kerberos service ticket was renewed
4771 Kerberos pre-authentication failed
4776 DC attempted to validate the credentials for an account
4777 DC failed to validate the credentials for an account
4779 Session disconnected

Your PowerShell only looks for 4740. And viewing it in PowerShell is not as user friendly as doing it in Event Viewer.

[-]

Expensive-Bed3728@reddit

You're so confident and yet so wrong. Please see attached screenshot. And I prefer powershell because I can grab only the relevant information I'm looking for. See attached screenshot.

[-]

BrentNewland@reddit

I just looked up the logs on our server. 4740 reported the calling computer name as our primary domain controller. 4625 has the PDC as the workstation name, but then gives the IP address and port that is the source of the lockout, which is our VPN firewall.

Also, 4740 only reports the lockout event. If there are multiple sources, it won't reflect that. 4625 is generated for every single failed login attempt, which allows you to correlate the times with logs from other systems.

Just looked up all 4740 logs and they all point to the PDC as the Caller Computer Name. I'm guessing if the lockout source is not a Windows PC, it will report the PDC as the lockout source.

[-]

ih8schumer@reddit

Interesting in my environment it gives me the hostname of the computer the lockouts came from.

[-]

BrentNewland@reddit

I'm guessing if the lockout source is not a Windows PC, it will report the PDC as the lockout source.

So if the lockout source is something like 365, or something authenticating via LDAP, or anything that isn't a Microsoft process on a Windows computer, I'm guessing it will show the PDC as the caller computer.

Either way, 4740 is not a very useful event when troubleshooting lockouts. 4625 gives a lot more information.

[-]

Fake_Cakeday@reddit

Tried a revoke session or a revoke sign-in for the user?

Both need user administrator Azure domain he is in. If there is a lower built-in privileged role I do not know it.

[-]

Gawdsed@reddit

$from="ADLockoutReports@xx.xx"
$to="your.email@xx.xx"
$smtp_host="mailserver.xx.xx"
$subject="AD Lockout Events Report"

Getting the PDC emulator DC

$pdc = (Get-ADDomain).PDCEmulator

Creating filter criteria for events

$filterHash = @{LogName = "Security"; Id = 4740; StartTime = (Get-Date).AddDays(-1)}

Getting lockout events from the PDC emulator

$lockoutEvents = Get-WinEvent -ComputerName $pdc -FilterHashTable $filterHash -ErrorAction SilentlyContinue

Building output based on advanced properties

$body = $lockoutEvents | Select @{Name = "LockedUser"; Expression = {$_.Properties[0].Value}}, `
@{Name = "SourceComputer"; Expression = {$_.Properties[1].Value}}, `
@{Name = "DomainController"; Expression = {$_.Properties[4].Value}}, TimeCreated

$bodyString = Out-string -InputObject $body -Width 200

Send-MailMessage -from $from -to $to -Subject $subject -SmtpServer $smtp_host -Body $bodyString

[-]

Dry_Competition_684@reddit

I have seen this countless times.

[-]

31nz163@reddit

I'm also guessing this could be the answer. Last workplace I've fixed this a multiple times by simply deleting corporate SSIDs from users devices, and let the policies regenerate them all.

[-]

ThesisWarrior@reddit

This. Almost 100% of the time.

[-]

Cr1msonGh0st@reddit

SIEM access so you can see ALL the DC logs, even more helpful.

[-]

MeatBag23@reddit

It always seems to be 802.1x with that many lockouts. Always when the remote guys come into the office for the week.

[-]

masterflashterbation@reddit

Absolutely this. I ran into similar situations escalated up to me and it was pretty much always a device with a bad password that the user insists can't be the problem.

[-]

jlbp337@reddit

Was going to say, had this issue before and it was a phone Lol

[-]

-B1GBUD-@reddit

You don’t use passwords if you’re using dot1x, usually the machine will present a certificate or the user/machine is a member of a group. If you’re using ISE (identification services engine). You’re gonna need to check the Radius logs and the DC to check why auth is failing. If the device is Azure or hybrid joined, you’ll need to check the authentication logs in AZAD.

[-]

Rudager6@reddit

Or is your VPN setup using LDAP and is set to always on? is it then trying to constantly reconnect when they’re in the office? could be getting to authenticate but then failing after that because its on an internal network?

[-]

icansmellcolors@reddit

^ This post is 100% correct.

It's probably a wifi device attempting to login over and over with an old password.

Tell them to 'forget' every company wifi SSID on all their devices, laptop included, and then it will most likely stop.

If not then someone's password was saved on a mapped drive or some network resource somewhere.

If you want to really get into it then search their network login on the DC controller/s' Event Viewer/Windows Logs in order to see the actual lockout errors and it should tell you what the name of the device they're attempting to login from.

Good luck.

[-]

Essa_ea@reddit

Had similar issue like this before but the user worked on a workstation on premises. They get locked out constantly. After checkin events logs it turned out he had multiple sessions active on different workstations, so i ran a powershell command from domain server to log him outta all sessions.

[-]

dawg4prez@reddit

I’ve seen this when the user has a VM or system where they have their old login cached. E.g. a mapped drive. Usually it’s a developer using a devtest system.

[-]

owenthewizard@reddit

RemindMe! 1 day

[-]

menormedia@reddit

Use psexec to check tor hidden credentials

[-]

Glass_wizard@reddit

Most common culprit I've seen is a simple map drive saved with cached credentials. Next bet would be an application making an authentication call with cached credentials.

[-]

TEverettReynolds@reddit

99% of the time when I see this, its the users phone, or iPad, or whatever they pointed at o365 to check their mail.

99%.

[-]

Fa1alErr0r@reddit

I had a user that was waking their computer up from a black screen by spamming the enter key until it showed them their login screen. By then, they had locked themselves out. Took me weeks to figure that one out.

[-]

Demonbarrage@reddit

+1

Had a user where this was occurring & they said it had been happening for over a year. It was an old email account on their personal phone.

[-]

psych0fish@reddit

O365 removing http basic auth was a godsend for this issue

[-]

afwmftw@reddit

This, all the time, I'm locked out or keeps happening... Have you changed your password recently? Yes, why? Did you also change it on your work iPhone, No! Okay do that and tell me if it happens again, 9 times out of 10 I never hear from them about this issue, till they change their password again, cycle repeats

[-]

Sonic_Is_Real@reddit

RemindMe! 14 hours

[-]

Sonic_Is_Real@reddit

Remindme! 24 hours

[-]

Bernie_Dharma@reddit

I’ll just throw this out here because I see it all the time. If you have o365, you also have Azure AD (now Entra). If you are using pass through authentication to your on premises AD controllers and someone is trying to brute force a users password, it will lock the on prem account.

Check your Azure AD security dashboard for suspicious log ons as well as log on attempts.

Check your lockout policy so Azure AD locks before your on prem does.

Consider using password hash sync instead of pass through.

There are some additional controls you can use in Azure/Entra AD around conditional access as well if you have a p1 or E3 license.

[-]

Key-Brilliant9376@reddit

I had this happen before and it's likely some cached credentials somewhere that you'll struggle to find. Just change the user logon name... Not a new account, just change the name it uses to logon. For example, if it is currently firstname.lastname change it to firstnamelastname (no dot). That's how I fixed it.

[-]

psiphre@reddit

this is the way

[-]

ih8schumer@reddit

If you're bad at your job sure. Changing someone's username will fix the issue.

[-]

psiphre@reddit

bold of you to assume that logs haven't already been exhaustively searched. it's the same as reimaging the laptop instead of spending hours tracking down what weird issue is causing the undesired behavior. some things aren't worth the time to track down. if both you and the user have no idea what non-domain joined device is hammering the account, what do you want me to do? walk to his house and turn over every couch cushion with a wifi detector in my hand and play needle in a haystack about it? i can't make the user remember what device he logged into with his credential four years ago.

[-]

ih8schumer@reddit

You could go into azure and review sign in logs. You could remove devices associated in exchange. If you're using intune as you should be or some other mdm you can use that to disable device access.Plenty of valid options to explore not a single one of them being rename the user account. Shouldn't be letting uncontrolled personal devices hit your domain.

[-]

psiphre@reddit

i'm not using azure or exchange online :) i'm all on-prem.

[-]

19610taw3@reddit

It's always cached / saved credentials.

Whenever this happens to an enduser where I am - I always have them clear saved credentials on any recently accessed systems. It's usually something hammering on a saved unc share or something.

[-]

rynonomous@reddit

Had this happen a week ago for a user. I just deleted all the cached credentials and rebooted their computer. Issue resolved.

[-]

Key-Brilliant9376@reddit

On larger networks, it can become almost impossible to find where the cached credential is stored. My way is simply an easy way out.

[-]

ih8schumer@reddit

Your way is shitty sysadmin way. Any calls to AD locking the computer will record to event log 4740 which includes a source caller computer field. Very simple to track down. Identifying the actual cause on the computer may be difficult, but never for lockouts in my 13 year career have I changed someone's username for lockout issues that's absurd.

[-]

rynonomous@reddit

For sure. I'm putting that in my back pocket just in case. I work for an msp and this client was medium sized. In my instance, this is how I did it. For our bigger clients, I like your quick fix.

[-]

ih8schumer@reddit

Thought I was in shitty sysadmin for a second. Y'all really don't know how to search ad for a lockout attempt from a domain computer. That's just incredible to me. Use powershell to filter by username and date the id you are looking for is 4740 which includes a source caller computer name. If it's blank it's a non domain joined device causing issues so think VPN or mobile device.

[-]

nbfs-chili@reddit

Yes, cached credentials. In our case the user was still logged into a conference room PC, and had recently changed their password. So the conference room PC kept locking the account because it was using the old password.

[-]

Nandulal@reddit

This here

[-]

jaybirbx@reddit

Yep this worked for me too. Just added a "1" to the end of their username and they stopped having the issue.

[-]

Key-Brilliant9376@reddit

It's one of the times where you learn to stop chasing after the cause and just fix the issue instead.

[-]

thereisonlyoneme@reddit

Glad you got access to the DC. That is what I was going to suggest. A couple things I have seen before:

The user set a service to use their credentials. That password expired and the service credentials were never updated. Every time the service tries to start, there is a failed login. That's why using those credentials is a no-no but users don't know that.

This probably doesn't apply to you, but if the user does not extent it, our privileged access management system expires admin accounts after a couple hours. There were a few instances of the user starting an hours-long task with those credentials but not extending the expiration. Again, at some point that task is going to try to login with an expired password.

[-]

TechMeOut21@reddit

All great suggestions on what could be causing it in this thread but the only advice you need to follow it to the the DC team and get the logs. It’s the natural progression for troubleshooting and anything else is just wasting your time and creating a worse experience for the user.

[-]

superapeman@reddit

Aggregate all 4740 events to somewhere like solarwinds, sharepoint or your siem. Call it a lockouts dashboard and you’ll have an easier time dealing with this crap.

[-]

Pixxel_Wizzard@reddit

Does the firewall support remote VPN? It could be brute force attacks on the VPN and one of the usernames used in the attacks matches their AD account. Go through the Event Viewer it look for the blocked login attempts.

[-]

current_thread@reddit

RemindMe! 3 days

[-]

echristm76@reddit

Have you tried to replace the keyboard and mouse completely ?

[-]

Tech_Veggies@reddit

I use the "lockoutstatus.exe" to trace the lockouts to the domain controller. I then review the logs on the DC and it will point to the device causing the issue. This has been very effective.

[-]

eggeto@reddit

If your users are hybrid The user password from the on prem AD can be different from the password in Azure AD Bad sync from the AD connector Set on both ADs the same password

[-]

monkeywelder@reddit

I have one years ago same thing three or four times a day this girl was locking up her terminal we clear it. see it can work hour later\ locked back out so finally I went up and watched her work. within 3 minutes I figured it out. She had enormous tits and every time she would lean over across her keyboard it would lock the keyboard out that's all it was to it .moved her key board problem clear

[-]

LonestarPSD@reddit

So a literal problem existed between the keyboard and chair?

[-]

dirtrunner21@reddit

Nice

[-]

TwistedJackal509@reddit

Interested. Having a similar issue.

[-]

redyouch@reddit

Change their samaccountname.

[-]

amishbill@reddit

I’ve seen this with saved drive mappings, but that should have been cleared when you cleared cred manager…???

[-]

justfdiskit@reddit

tl;dr - rename the user.

Haven’t seen this yet after scrolling thru a bunch of other comments, so I apologize if it’s already there.

Just changing the password allows a rogue login process to continue failing. This was actually a way we’d prank fellow sysadmins back when wheels were square and rocks were soft. It makes a kinda hamfisted DOS attack (pun intended) as well, but you need access to a login point to do it.

If you change the username, it keeps the same UUID/SID and profile on the account. Gets them back up and running. Future login failures don’t count against that SID (unless the rogue login process caches/uses the SID) (this was “next level” sysadmin fuckery) .

[-]

Gatorcat@reddit

Connect to MS Entra ID portal using a tenant admin account

Locate the user's account and examine the 'sign-in logs' events to get a better idea what what is going on with the user's account getting locked out. A malicious actor *may* be banging on the user's account or, most likely... they have a mobile device with an old password cached on it which keeps asking for access and eventually locks the account.

[-]

fgc_hero@reddit

Ran into an issue similar to OP's, and this was the fix

[-]

Evening-Inevitable17@reddit

User may be logged in to conference room devices. These devices retry automatically without end. It will haunt the user until it loses network connectivity.

[-]

CPAtech@reddit

Are you sure the locks aren't coming from unsuccessful VPN attempts?

[-]

ArmAble@reddit (OP)

Unfortunately, yes. We used to use Ivanti (issue happened then), and we got rid of it after they started having all their security issues. We switched to a new VPN, and the issue persists, unfortunately.

[-]

Expensive-Bed3728@reddit

Run this on powershell: $username= read-host("please enter username here") $events = Get-WinEvent -FilterHashtable @{ LogName = 'Security' ID = 4740 } -MaxEvents 1000 | Where-Object { $_.Properties[0].Value -eq '$username' }

$events | Select-Object -Property TimeCreated, @{Name='Account';Expression={$.Properties[0].Value}}, @{Name='CallerComputerName';Expression={$.Properties[1].Value}} | Select-Object *

This will filter the log and pull logs relevent to username you are looking for and will list caller computer, if its blank your vpn is being attacked or its a mobile device most likely

[-]

EViLTeW@reddit

Unfortunately, yes. We used to use Ivanti (issue happened then), and we got rid of it after they started having all their security issues. We switched to a new VPN, and the issue persists.

This is irrelevant to what u/CPAtech asked.

If the issue is a brute force attempt, it doesn't matter what appliance you have or how many times you change it. We've had this problem a few times and have had to reengineer some things to block those attempts differently before the directory's intruder lockout kicks in.

[-]

AdminG@reddit

I've seen this too.

Automated VPN attempts were coming in from a globally distributed network. We are only US based.
Couldn't tell if they were attempting bruteforce or password spray from data collected in various outside breaches. Some user accounts attempted were current users, some were long departed users, some had never existed. Some matched email addresses that never existed but get lots of spam.

Connections were about 2 seconds apart. They continued with same username even when account was locked out after 10 attempts.

We'd geoblock a country, and within seconds attempts would resume from another country. Blocked over 100 countries before they slowed down, and eventually started coming from various residential ISP netblocks around the USA. Clearly a botnet of some sort.

Mitigations over time:

* Geoblocking VPN
* Changed username
* Switched to a VPN that has a preshared key in addition to user auth
* Required MFA for VPN
* Used Cert on computer as part of VPN auth

No more VPN induced lockouts since then.

Now the lockouts are all caused by:

*Mobile devices with outdated creds for email and wifi. Including Kindles that are "only used at home" (except for that one time 3 years ago they used it at work on wifi, and now happen to have it in their car next to the office, within wifi range)

*Mapped drives with outdated creds stored

*Services running as a user account (this is rarely done)

*User error

*Cloud services that Marketing dept started using without IT involvement.

[-]

MaleficentRiver5137@reddit

I come across this issue often, work in a call center. Is usually due to the user is still logged into a previous device with old passwords and the office apps are still trying to auth with the old passwords and will cause a lock out.

What I do is go to the user profile in entra id, revoke all sessions then update password in AD

[-]

GusNiall@reddit

Sorry I read that as Uber! lol

[-]

Rotten_Red@reddit

Is there a mapped network drive with remembered credentials trying to use a previous password?

[-]

sirion00@reddit

This had tripped up our service desk guys many times.

[-]

WolfetoneRebel@reddit

First thing I would check tbh, check everything in credential manager as well.

[-]

KiNgPiN8T3@reddit

Along with this, other personal favourites are cached creds(Outlook would use them lock the account and then as for pass. Lol). Running a service with their account(had this with someone running lansweeper on their laptop). Mail app on their phone trying old creds. Wireless connection trying caches creds. It’s been a while so I’m not sure how many of these have been mitigated but worth checking.

[-]

jazzdabb@reddit

For a regular user, this is the most likely answer.

[-]

supremeicecreme@reddit

This is indeed a good question! It'd also fail to map if the password is remembered incorrectly. Maybe on someone else's pc/account which is a different kettle of fish entirely!

[-]

rimekJE@reddit

On my previous work, users would "roam" and login to their user accounts around their offices, but they never log out, just lock and leave that desk, meaning logged in credentials would be cached. They'd change their password but that device still had old cached as it's still "logged" in, so it would lock them out

[-]

smoike@reddit

I had something similar. My work laptop was left at home and I had to change my password via my desktop due to expiry. I got locked out three times before the service desk checked and saw my laptop was still logged in and causing password fail events, locking my account. I had to call my wife whom was at home that day and get her to turn my laptop off and the problem was resolved.

[-]

bQMPAvTx26pF5iNZ@reddit

Not sure if it will help you specifically, but if you have an analytics workspace on Azure, you can use the following query in the 'Logs' section:

SecurityEvent | where (EventID == 4740 or EventID == 4625) and TargetAccount contains '<username>'

[-]

Wrong_Specialist709@reddit

You mentioned laptop, can you log into the device manager as admin and disable HID V2 under sensors option? This is something that I have noticed happened to our staff as they got newer laptops.

[-]

Firestorm83@reddit

what's in the logs?

[-]

LuciferDRKWatch@reddit

Had a similar issue few years ago. It was saved credentials in credentials manager.

Cleared everything in Windows Credentials and issue was resolved.

[-]

fellwell5@reddit

Is your company using nextcloud?

[-]

phoward74@reddit

Windows Account Lockout and Management tools can help with this.

[-]

0RGASMIK@reddit

Have seen this a few times. Printer network scan folder that uses the user account to authenticate, it was some janky software the printer driver came with so it was checking the credentials every hour on the hour.

Another time was some software that was installed while the user had elevated permissions. Not sure what was going on with this one we just uninstalled the software.

[-]

Helpful_Friend_@reddit

From the edit it seems like you've already found something.

When i had something similar happen. All the fail requests came from his computer. And scouring it's logs it kept failing on gpo's with an error on wrong creds.

Never found the root issue. Ended up just re imaging the pc and it's not happened since.

[-]

GhostsOfWar0001@reddit

Clear out old items from credential manager, power off cold the device for about ten minutes and fire it back up.

[-]

Cruxwright@reddit

An anecdote to keep in mind when investigating the not employee's laptop. My boss once booted me out of an RDP session on a server. When mandatory password change came around, I was getting locked out constantly. My old session was still active weeks after the kick and using my old password. Reconnecting to the server and logging off properly fixed my account locks.

[-]

soundwavepb@reddit

I'm calling stuck old credentials on another machine that keep trying to authenticate and locking the account.

[-]

Struders@reddit

It'll be old credentials stored on a PC. Most likely they added a network share manually or something. That would be my guess.

Without DC access it's going to be a tough one to find. If all else fails just change their username, no need to nuke the entire profile.

[-]

TXGTO@reddit

Probably irrelevant but interesting. Had a user years ago who’s password expired the moment they changed it. I watched them do this several times. In the end their last PW reset date was set to something like the year 2376. I calculated how many 30 day intervals were between then and the date listed. They were not amused at the idea of thinking up that man unique passwords. Managed to use and LDAP editor to fix it short term. The long term fix was much more involved and not something that has to be done these days.

[-]

Library_IT_guy@reddit

Are you absolutely sure this isn't a PEBKAC? Have you been able to replicate the problem yourself with their account? Or is it just the user saying they have the issue?

[-]

ArmAble@reddit (OP)

Yes. I have taken their laptop for several hours, multiple times, and it just locks out constantly. I wish it was a PEBKAC issue, lol. That would make my life way easier.

[-]

null-character@reddit

Right but how do you know the laptop is causing the issue? Hint if you turn off the laptop and it keeps happening it is NOT the laptop.

[-]

Unotheserfreeright24@reddit

Might be a dumb question but do laptops truly "turn off" by default any more?

[-]

Superb_Raccoon@reddit

They do if you drive a stake through their weasley black hearts.

[-]

dontnation@reddit

If you actually shut them down, yes, they still "turn off". In Windows, network connected standby, s0 low power idle state, can make it appear "off", but can still be active due to "activators" performing tasks in the background.

[-]

Nu-Hir@reddit

Have you tried powering off the laptop and seeing if the account s till gets locked out?

[-]

idrinktoomuchredbull@reddit

Yeah I know what happened… Happened to my admin account and 2 other users I knew. I told my manager the credentials are cached on the DC and we need to reboot it one night but he didn’t listen…

Then we had a power outage and shut the servers down before the UPS runs out of battery and then after the outage when we powered them back up… issue was fixed

Most likely they’re cached if user isn’t signed into: Wifi on their phone Another laptop Phone wifi/email isn’t trying to authenticate via old password

[-]

Phrag15@reddit

Do you have a company WiFi that authenticates via AD credentials? We had a user doing the same thing, found out she had connected to it on her personal device and password had been changed.

[-]

SM_DEV@reddit

From what OP has written, it can’t be local to his new machine or a corrupt profile on his new machine.

It has to be coming from another device, likely using cached credentials, such as an improperly recycled device formerly assigned to this particular user. It could be almost any device attempting to login to a local resource.

[-]

Starir_a_Hafid@reddit

This used to happen to me constantly.

Change your password, and about an hour later I’d have forgotten it, no matter what I did. Second time it’d work.

Finally got access to IT invoicing and realized I was not the only one. I always just figured that this was IT support securing themselves some extra cash. Reading the original, I guess not now?

Still, seriously: Paying IT support on case-to-case basis may be the dumbest idea ever.

[-]

265chemic@reddit

Probably someone caching credentials with the users old password which is hammering for auth. Maybe proxy, possibly an obscure / unnecessary app if the user of the device they are cached on isn't screaming.

Wipe all cred manager / keychains from the device causing the lockouts. If no joy, keep digging or reimage.

[-]

Golden_Dog_Dad@reddit

I've seen this twice in my career. One was a user with a laptop infected with malware.

The other was an account that was used as a service somewhere and the password for the account had been changed, but the service was not configured to use the new password.

[-]

painefultruth76@reddit

Per update... cyber stalker?

[-]

RebootItAgain@reddit

Grab ADAudit from manageengine as a trial. Install and you should be able to find the reason fairly quick.

[-]

StraightAct4448@reddit

I thought this was going somewhere very different based on the title lol

[-]

ChildrenotheWatchers@reddit

Probably not this mundane, but a few years ago I worked a4t a place where an employee was having this problem. Someone on the night janitorial staff (a contractor, not an employee) was using the keyboard and trying to guess the person's password to break in. Failed tries caused the lockout, but since it was only happening on the days AFTER the cleaners worked, the manager got suspicious. He spoke to the cleaning company's manager, and although he had no video proof, it suddenly stopped after that.

[-]

hiirogen@reddit

Disable wifi on any phones and or tablets they carry.

[-]

Comprehensive_Comb62@reddit

I had an issue similar to this, we have a print server and we’d let users access it to add printers, then they’d change their password and somehow the printer would use this old password and lock it out. Or It would happen to me when I’d rdp into a server and just close the windows instead of cmd logoff.

[-]

thortgot@reddit

The IP address may or may not be a reliable indicator of the hostname.

The event log from the security ID is a better indicator.

[-]

Certain-Community438@reddit

The MS Account Lockout toolkit covers it all.

But you need an AD admin to do it. (I'm using shorthand here: it's possible for someone to have the required fine-grained permissions & network layer access).

Essentially though, it's a job for a domain admin to identify the source device using LockoutStatus.exe & EventConbNT.exe. If you then can't find the source within that device, blow it away & rebuild it. Life's too short to look for a needle in a haystack.

[-]

lkovach0219@reddit

Sounds like maybe they changed their password recently but forgot to something that uses it. Now something is trying to login and can't because it still has the old password

[-]

pegLegP3t3@reddit

See if they have an old phone or tablet to a relative and never took their work email off, then changed their password. The old device would try to authenticate and this would happen.

[-]

cbelt3@reddit

I used to have this problem. I was locking my laptop and carrying it open. With my arm touching the keyboard. And trying to log in for me..

The other symptom was one of our cats walking all over the keyboard when the computer was locked.

Now I just close the lid.

[-]

steveb703@reddit

Along these same lines I had a user who would be locked out every morning. Turns out that to wake the pc up in the morning they would continuously hit the enter key.

[-]

thedarklord187@reddit

nah Elevate this shit to the systems team and let them sort it out they have DC logs and can figure out whats locking the user pretty much within 5-10 minutes

[-]

Brilliant_Pomelo609@reddit

Keyboard is faulty

[-]

Jeremy_Zaretski@reddit

If you want to see if it is an issue with the user's account, then have them log onto a new computer and create a new profile. See if the issue happens on that new computer. If the issue does not occur, then recreating the user's profile may be the only solution.

It is possible that there is some background process associated with the user's profile that is attempting to authenticate using incorrect saved credentials. We had a user a few years ago who was experiencing the same issue. When they created a new profile on a different computer, they did not experience the issue. When we migrated their old profile from their old computer to a new computer, they started to experience the issue again.

[-]

SilentSamurai@reddit

Check their phone. Outlooks/Team apps, native email app. Those may be holding old passwords.

[-]

BoltActionRifleman@reddit

We went from a 6 week password change requirement to once a year, this same issue has all but vanished for us. It was almost always the phones causing it.

[-]

mithoron@reddit

native email app

The windows "mail" app is brutal on this front. It seems to spam connection attempts and can trigger a lockout faster than any other single app I've seen. I could see this getting triggered by a live tile in the start menu trying to update and adding up to the numbers OP is reporting real easy.

[-]

AdminG@reddit

Since Microsoft makes this the default windows Mail app, even if they have Outlook, and it has a similar icon with an envelope, users often open or configure this by accident. And then go back to Outlook.
Which works fine, until they change their password.

Mail app grinds away in the background trying to authenticate with old creds, causing lockouts.

But I thought the mail app was supposed to have been discontinued and removed automatically by now.

[-]

BrainWav@reddit

You can opt-out on 10, but it's getting incessant. I have to reset it back to the old app almost daily at this point, since all I want is the calendar with a live tile. I don't need or want mail in an application.

[-]

Weird_Lawfulness_298@reddit

Yep and depending on how they login to WiFi (if you are authenticating with AD) an old saved on a phone can cause a lockout because it will try over and over to connect.

[-]

3rd_Shift_Tech_Man@reddit

I used to battle this every time my PW retention period was up. There was always a phone, remote session, etc somewhere locking me out.

[-]

Scuzzbopper5150@reddit

I definitely like the Log into a different computer idea.

Also, do you have company cell phones?

[-]

Environmental_Pin95@reddit

Nerve issues, bad keyboard, usb slot going bad or rusty or full of dust in the usb slot. Or use windows hello or buy a thumb biometric device to have him log in.

[-]

Environmental_Pin95@reddit

Also happens when logged into many other computers and logged into outlook on those many other computers. Reboot all computers he has touched then issue should go away

[-]

sambodia85@reddit

I don’t generally like Lansweeper, but one thing it does a great job of is showing all the other places a User is logged in, especially great with Admin accounts.

[-]

JabbaTheHutt1969@reddit

9 times out of 10 we find it to be their cell phone login to wireless with the wrong password and disable the account.

[-]

photosofmycatmandog@reddit

"We use O365 and no longer use on-prem Exchange, so it's not email related."

You have many tools with Entra to dig down and figure out where the lockouts are coming from.

[-]

artekau@reddit

you could rename the users account username, this would stop the issue and break whatever the system that is locking it out is doing.

[-]

xlerate@reddit

Keyboard key?

[-]

Rahl55@reddit

Flash back to old IT days when someone had an iPhone or android trying to sign into android or apple mail and those clients would bang on the auth over and over again, locking out the account .

[-]

Liam_Gray_Smith@reddit

good story, would love to find out what happens

[-]

hoffyman19@reddit

!remindme 24 hours

[-]

fishermba2004@reddit

Windows account lockout tool

[-]

beuyau@reddit

80% of the time an issue like this is escalated to me, it’s due to a smartphone constantly trying to auth with outdated password

[-]

Y_TheRolls@reddit

this is something that Ive had to work on a few times. 5/6 times they had an active session on a device that had cached their old password. Find out what device still has an active session for their userID and restart it, then unlock the account in AD.

The one time it wasnt that, was a user who had memory issues and would reset their password anytime they forgot, while never using VPN to reach the office network. So their password would fall out of sync and they would lock themselves out

[-]

Catdaddyx2@reddit

Phone passing through old password to connect to company WiFi?

[-]

David2667@reddit

Ive seen this happen with Credential manger on the computer. I cleared out the creds and that fixed it

[-]

Jezbod@reddit

Have you got the account lockout status tool? It is very useful to find which DC locked the account.

[-]

TheBestHawksFan@reddit

They probably signed into a computer that is not theirs before changing their password to whatever it is now. The device is likely on and sending a bad credential to the DC, all the time.

[-]

Lukage@reddit

We use O365 and no longer use on-prem Exchange, so it's not email related.

I'd actually suggest its more likely. Have you checked the 365 logs and ensured its not something as simple as 365 login attempts?

[-]

Frothyleet@reddit

Their domain account wouldn't lock from that unless they are using federation or pass through authentication. Default entra sync settings (or no sync) wouldn't cause lockouts.

[-]

Secret_Account07@reddit

I’ve run into this. There are several scenarios which others have all commented.

DC or O365 portal. Gotta get logs and IP of service.

[-]

zcworx@reddit

Do you have access to the security groups siem or bare minimum see if you can request from the security groups where they are seeing logins coming from?

[-]

fabian1313@reddit

iPhone or iPad connecting to the local WiFi with an expired network password

[-]

tjman1701@reddit

90% of I've come across this issues it's what you mentioned or a kindle.

[-]

timsstuff@reddit

One time I found the culprit was the built-in Windows Email app (not Outlook) that the user had mistakenly setup to check their email and their password had changed.

Also delete anything related to their domain login in Credential Manager, in most cases the current logged in user creds should pass through instead of being stored there.

[-]

USMCLee@reddit

RemindMe! 5 days

[-]

jocke92@reddit

Check if this is happening when the user is out of the office and the computer is offline. If not, it's in the computer. Does this user use any special apps that are authenticated to AD? I think you have to look at special applications.

Contact the infrastructure team and have them look for the lockout event ID

[-]

td_husky@reddit

You’ve ruled out office 365 causing the domain lockouts incorrectly.

Either way, You should get the event log info from a domain administrator to solve this.

[-]

dustojnikhummer@reddit

Device with cached credentials (or a script) is my guess. You will really need Domain Controller logs for this.

[-]

karmak0smik@reddit

Dive into event manager to see authentication logs.

[-]

RunJumpJump@reddit

Lots of good suggestions here. One other I've seen is where the user was a developer and they hard coded their credentials into some process as a "test" but never removed it. Several months later after a password change, suddenly their account would be locked intermittently because the app they were working on was put into production and they never replaced their creds with an appropriate service account.

[-]

Commentator-X@reddit

My first guess would be a mapped drive using explicit credentials. I've seen it before. It can also happen if your Outlook or other office app has an old cached password.

[-]

Spice_Cadet_@reddit

Typically when I see this it’s a cached older credentials for a network drive mapping.

[-]

Dosyaff@reddit

As some of the other people mentioned. He is probably logged in somewhere.

I had a similar issue. Where I never logged out of rdp sessions. After changing my password the "disconnected" user tried to "login" on the computer which wasn't logged out.

[-]

PikachuDoesIT@reddit

Have you wiped the credential manager of all old Windows/Office/O365 entries?

[-]

alecC25@reddit

Are there multiple domain controllers spread across the offices? They may not be communicating properly

[-]

First_Jam@reddit

Have a look at the Security Logs on your DC's to see where the login attempts come from! there's a tool "lockedout.exe" which tells you which DC locked the user!

[-]

ev1lch1nch1lla@reddit

We use the Netwrix account lockout examiner for situations like this.

[-]

greenwas@reddit

Lockouts happen due to failed logons.

1) Is your environment configured to log failed and successful logon events?

2) Have you reviewed all logon events for this user? EventID 4624 should tell you everything you need to know e.g. when, what type (network, interactive, etc), and from where (IP address) the logons are coming from.

3) See 1 above. You will never see a certain type of event log if the environment isn't configured to log it.

4) You have an issue that's been occurring for a year. if you haven't managed to loop in the appropriate resources to review event logs from the DC (all of them) then there are much larger issues at play.

[-]

cptaxelb@reddit

I second this, check for failed authentication events rather than "lockout" events.

[-]

HerfDog58@reddit

My vote is for old credentials cached somewhere - mail on mobile device, or manual drive mapping, or something in the Windows or Web Credentials applet in Control Panel.

In addition to having the user login to a different machine they've never logged on before, have another user login at his problem device, and see if they have similar issues.

[-]

PedroAsani@reddit

Bet $1 it's their phone

[-]

blackbeardshead@reddit

Yup. I just review all sessions and it works but open tabs on an android phone

[-]

E__Rock@reddit

When my organization sees this especially with multiple domains, it's because that user logged into some other device other than their daily device and the credentials are failing because of a password change, etc. Two ways you can tackle: You can look in LAPS or the domain controller and check the event log as there is a specific error code that shows login errors and their root origin. You can also disable any devices in O365 admin if your organization is a MS organization.

[-]

Megafiend@reddit

Try a new local user profile or a tenporary device (leave standard workstation off) could be an app or network share with cached creds trying to authentice.

Check with user any mobile outlook apps and the like. I've seen bad apple mail accounts trigger similar.

Escalate to some one with DC access to investigate failed logins. If you're just looking after endpoints and users you may not be able to resolve.

[-]

Wolfram_And_Hart@reddit

Check for stored credential keys in the regular and hidden hive. It’s probably there.

Download PsExec.exe from http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx and copy it to C:\Windows\System32 .
From a command prompt run: psexec -i -s -d cmd.exe
From the new DOS window run: rundll32 keymgr.dll,KRShowKeyMgr
Remove any items that appear in the list of Stored User Names and Passwords. Restart the computer.

[-]

BrilliantEffective21@reddit

We replaced the computers that sourced the lockouts. Zero issues after.

[-]

SlappyKippy@reddit

Do they have an Outlook profile in cached mode? If so, then it's worth removing cache mode just to rule it out.

[-]

Durzel@reddit

I had this exact problem and eventually tracked it down to out of date cached credentials on the user’s computer.

I used this app (official MS app) to track when the last bad password was entered, and the count, and saw that for the affected users it was incrementing even when they weren’t at their machine.

I followed the instructions here (the accepted solution) here: https://serverfault.com/questions/811930/gpupdate-failing-due-to-ldap-bind-issue

[-]

blackbeardshead@reddit

User support here. Revoke sessions in endpoint and move o and I've never seen it reoccur after that as well. My non technical explanation is something is stuck kick it all out and start fresh.

[-]

DK_Son@reddit

Does the laptop stay on and docked overnight in the office, every night? If so, does event viewer show lockouts through the night? If so, can you have them turn the laptop off at the end of the day, then check the logs the next day to see if they got locked out overnight? If they didn't get locked out overnight with the laptop off, double check/clear credential manager on their laptop. And then check the NPS/Radius server logs. It might be an NPS policy locking them out.

[-]

NoZZsTend0@reddit

This happened to me, and it ended up being a printer that was shared from a server. I deleted the printer, and it stopped the lockouts. It made no sense because i had changed the pwd prior, and this didn't happen. Delete all shared printers from their computer and re-add. It's worth a shot if you have tried everything else like I had, including deleting everything from credential mge.

[-]

aries1500@reddit

I've had this happen before a couple times, one was Outlook logged in on another device, the other was a bad keyboard. I would view all the login attempts and see if they are indeed the device they are using.

[-]

therealRustyZA@reddit

Damn. Reading this triggered my PTSD. Years back I had a user like this. Account would get locked at random. Went a similar troubleshooting route. Went to her machine and stood by her. Couldn't figure it out. As she saw me off she wanted to go to the kitchen. and then I saw. When she pushes her chair in, the arm rest goes over her keyboard just enough that the enter key on the numpad gets triggered.

Told her to be careful, never heard from her again.

[-]

mouthbreatherguy@reddit

Have you ruled out a petty coworker submitting bad creds just to fuck with them?

[-]

bws7037@reddit

Give the user an etch-a-sketch.

[-]

packagedeliverer@reddit

Go to Windows saved credentials and delete them all. Could happen if the user simply refused to accept a certificate. Another issue could be vpn if you have multiple instances that need to be kept in sync.

[-]

LawfulnessUpbeat2924@reddit

on their account settings there’s an option to logout on all devices, might be worth a try.

also when we run into this issue, it can be teams or outlook on their phone trying to use an old password

[-]

BamaTony64@reddit

Turn their phone, tablets and all that off and see what happens.

[-]

VolcanicBear@reddit

I experienced this with someone testing a docker pull secret then forgetting.

[-]

moistpimplee@reddit

i found out after going thru everything the reason why one user kept getting locked out was someone was brute forcing their MFA onto the vpn....

[-]

chrisr01@reddit

I've seen something similar, and it ended up being a saved credential for outlook in their credential manager.

[-]

thepottsy@reddit

Similar, but it was for Sharepoint.

[-]

TamarKaiz@reddit

Someone have beef with the dude and lock him out from another computer on the domain?

[-]

Bright_Tangerine_557@reddit

Is this a domain account?

At my last job, we saw users get locked out because they would log into machine A, then lock their session.

They would log into machine B then they would reset their password.

Since machine A was still logged in with the old credentials, it would trigger a lockout due to it periodically checking in with the old credentials.

This would generate calls after lunch, since that's when the user realized he/she was locked out.

[-]

UKDude20@reddit

this is a printer mapping or other service based application that's using a cached credential that's no longer valid and locks the account out due to retries.. check the logs and find the culprit

[-]

OrganicSciFi@reddit

Thinking the same, an app with cached creds is causing it

[-]

OGT242@reddit

Do they have a mapped drive they used creds for? If they had to change their password and didn't reauth the mapped drive, this will cause the lock out. This happens a lot in Linux environments.

[-]

mukz7@reddit

How long g ago was the swith to 365 from on prem exchange? Mail apps on phones and pcs can be a bugger for this. Also anything in the local host file?

[-]

Euler007@reddit

Does the firewall forward port 3389 to an internal RDP Gateway?

[-]

NoURider@reddit

If radius is part of equation look at those logs as well. Sometimes security logs on DC will not be enough will not be sufficient to pinpoint.

[-]

slash9492@reddit

I would say check any Mail clients and make sure the passwords are correct. Also clean WiFi networks that use your domain username and password.

[-]

Stringsandattractors@reddit

When I had this I changed the username a little bit. Can’t lock it if the username is incorrect

[-]

sr1sws@reddit

IIRC, we had a user that had saved credentials in some application that repeatedly tried to authenticate. When user had to change the PW, they didn't change in that app, causing repeated lockouts. Sorry I don't recall details, one of my team figured it out and fixed it and I've been retired for 2 years. ;) Yes, you CAN actually survive IT long enough to retire - keep on pluggin' away!

[-]

h00ty@reddit

So, we block Android and ios from connecting to our corp wifi. we have had users try to connect the phones to our corp wifi and it won't let them do it BUT the phone caches the password and keeps trying. when the user changes their password the old password is still trying to auth on the phone to radius and thus locking the user out.

[-]

Flabbergasted98@reddit

For us it happens when users remote into other PC's and leave the session running.

It can also happen if the user is logged into one device and changes their password on another device.

So, Does the user use remote desktop or a terminal server when they're using VPN?
How does password rotation get managed in your organization?

What all does a user use their windows login for?

[-]

CausesChaos@reddit

Check Kerboroasting if you have a web accessible application.

[-]

oldtimerAAron@reddit

Not a sysadmin but an infrastructure technician. My previous job had someone similar, turns out he had multiple sign ins on other computers around his sites location.

IIRC, we signed into the devices as him with his updated password on his primary PC, signed out of all services on it, rebooted them and it didn't happen again for a while until he started the cycle again. I might be wrong, it's been a year or two.

I'd try and see if he used other computers around the shop or office.

[-]

bigeyedfish041@reddit

Check windows credentials

[-]

Master-IT-All@reddit

You mentioned 365 and then made a mistake in the same line in thinking it couldn't be the problem. My experience is that it most likely is where the lockout is occurring.

You need to check Entra logs to see what's happening, and also the DC logs to see what's happening. No events are going to be logged on the client.

It's likely something stupid where a CAP is catching them incorrectly. Do they have any client based VPN software like NordVPN installed that might mess with the ability of Windows to identify where it is located?

[-]

fourpuns@reddit

Did you clear out their windows password cache in the machine? May also need to clear out cached passwords in edge/chrome.

[-]

Sovey_@reddit

Another device trying to log in automatically with old credentials. In our case, we had Outlook on a phone that didn't pick up a password change and locked a user out every 30 seconds.

[-]

Backieotamy@reddit

Make sure they don't have any local services running under their credentials.
Clear any saved credentials on workstation and browser.
Recreate users AD account, if you haven't already done so.

[-]

Random-User-9999@reddit

"Easy" but annoying fix: Literally make them a new ad user account.

Q: If the user doesn't open the classic desktop Outlook app, do the lockouts still occur?

[-]

grumpyolddude@reddit

Could something be on the keyboard or return key? Key stuck. Numeric keypad under paperwork? I had an issue once where the user would push the keyboard up under paperwork when leaving work. Wild guess.

[-]

slp0923@reddit

We ran into this with a user. Ultimately wound up being a network share they’d created. Somehow it was trying to auth with the old password, which was wrong, and causing the account to get locked.

[-]

RapanosGod@reddit

There is a device which has an older password on it, an email client or any other legacy app.

It can be on his phone, on that pc and so on.

[-]

ProgressBartender@reddit

Top three candidates every time:

Mobile device with email app with old password.
Manually mapped network drive on their workstation with the old password set to “remember password”.
App on workstation using their login/password for the service.

[-]

Unotheserfreeright24@reddit

I've seen something in their web browser causing this. Try completely clearing all browser data for all time for all browsers. Unless you said there's no applications that use domain creds via web and I missed it.

[-]

Busy-Photograph4803@reddit

Do you use Citrix in your company?

[-]

burundilapp@reddit

We had this with a few users, turned out to be adobe updater caching creds, was a few years ago now.

[-]

Syhaque97@reddit

Smells malicious, especially considering user travels frequently and you said you already replaced laptop.

Escalate to someone who has access to tenant admin and check sign in activity…. Something smells bad actor

[-]

cyberman0@reddit

This seems like a credentials issue. I would see if someone else uses the computer has the same issue, if not look into a profile rebuild but also check into roaming profile, maybe rebuild the users share where their data is being stored. Usually this would only happen with roaming profile setup, but I would still do some digging into this.

[-]

boywhocriedarson@reddit

Not that this helps but this post reminds me of a user I managed in a previous life that was running a machine where the control pc keyboard was awkwardly set low and towards the front of the machine and the monitor and mouse were back further up. Long story short after he locked himself out 4 times in one night I went back to watch him input the temporary password and observed that his stomach was hitting the keyboard when he reached to grab the mouse. I told him I can't judge his beer belly as I have one too but he's gotta suck it up or move the keyboard and we had a good laugh. Thanks for bringing that back in my mind. Good luck!

[-]

alexnigel117@reddit

you need to check the security log in the DC (usually the primary ) which contains details of the source of login and further investigate Event ID 4740 .It could also be stale and cached credentials stored somewhere in the network aswell, if its a hybrid environment it could be sync issues too.

[-]

VirtualDenzel@reddit

Does the user have network mappings? Sometimes an old network mapping gets stuck under the computer account.

Search for smb access denied events.

Seen this happen plenty of times.

[-]

fuckyouabunch@reddit

Is 3389 open and pointed at the device's IP?

[-]

frankiea1004@reddit

Check the domain controller to see when the bad password attempt is coming. Is there a pattern? Same time, every day. Or is an occurrence?

[-]

Zwarbyt@reddit

I had this happen myself when I forgot that I had setup a service to run with my credentials and it was repeated trying to login and locking my account, happened every day until we found the server and service logs

[-]

D0ct0rIT@reddit

Sounds like a bad Windows profile that was migrated over to the new computer. Do a Windows profile rebuild via the Registry Editor, and have the user sign in and do nothing else. If the computer does not lockout immediately, or never locksout in general, then the user's old profile that was migrated from the old computer has some kind of issue going on with it and the user is going to have to start from scratch (which shouldn't be an issue as long as they saved their data to their personal drive or OneDrive if they have one).

[-]

popeter45@reddit

Does somebody else in the org have a similar username?, Could be them mixing up and locking the account?

[-]

_BoNgRiPPeR_420@reddit

If it only happens when they are in the office, it's one of the devices they have. Blow away their profile or reimage the laptop and move on with life. You'll waste more time than it's worth trying to figure it out.

[-]

MortalJohn@reddit

I'm low level first line, but my first troubleshoot would be creating a secondary account, explain it might be they will need to migrate to this new account, but as there's no security risks straight away have them have access to both for now. If the second account reacts the same way you know it's them, and not the specific accounts policies then. Progress from there.

[-]

jason_wallace@reddit

Cached creds on an odbc connection or linked excel

[-]

gruftwerk@reddit

Sometimes this happens at my job where an end user has office 365 installed on a personal device with their work account and then they change their password. The password old pass is cached and outlook tries to sync data and locks the account.

[-]

Cpt_plainguy@reddit

Had this happen before, in my case it was DC related. There was a job that ran automatically using that users credentials on the DC that everyone forgot about. If memory serves it was tied to his folder on the file server, he updated his password, people had moved on from that process so everyone forgot that job was even set up.

[-]

Girth-Wind-Fire@reddit

Is the user's cell phone connected to the field Officer's Wi-Fi? We ran into issues where we had people getting locked out because their cell phone was causing issues with MFA when it and their work laptop were connected to the same network.

[-]

AndFyUoCuKAgain@reddit

I would look into their login attempts. See how many times they are trying to login with a bad password and the device/IP address they are using.
That will narrow things down. You will probably need privileged access if you are locked out of your domain controllers.

[-]

Salt-Appearance2666@reddit

We got similar case 2 years ago and our problem were old cached credentials which tried to authenticate in the background.

[-]

Warm-Engineering4215@reddit

We used to get this a lot, tends to be cached credentials through Windows Mail App. Clear their account from it, and see if that works.

[-]

deafphate@reddit

Would they have the need to use their credentials manually to access a cifs share? I had this situation a couple of years ago. I at one point logged until the ilo of a server, mounted the ISO to install the OS, and forgot to unmount the ISO. A few months later I changed my password and my account kept getting locked.

[-]

wivaca@reddit

Just a thought from past experience: This can be caused by a mapped drive with a wrong/outdated password. Do they have any mapped drives?

[-]

UnsuspiciousCat4118@reddit

If you don’t have DC access then it’s time to escalate and be done with it.

[-]

masterz13@reddit

Have you made firewall changes recently? It could be a configuration issue.

[-]

uptimefordays@reddit

You need to loop through SecLog EventID 4740 on your DCs, if you don’t have permission or access ask someone who does if they can run:

Get-WinEvent -ComputerName DC01, DC02, DC03 -FilterHashTable @{ LogName = ‘Security’ ID = 4740 }

From there you can loop through those log entries for ComputerName (the DC) and CallerComputer to get the actual lockout source. If you don’t find anything there you can be pretty sure it’s a phone, tablet, or similar device.

[-]

BigfootIzzReal@reddit

Try disabling Exchange Active Sync on their mailbox. this helped me nail down an issue we had some months back

[-]

TurkTurkeltonMD@reddit

A scheduled task with an incorrect password will cause this.

[-]

Party_Educator_2241@reddit

Check cameras for the cleaning crew. Probably pissed them off somehow. We had a cleaning lady smear dog shit all over peoples desks and chairs at one place I worked.

[-]

Broad_Canary4796@reddit

If it’s a laptop do they connect to a dock for internet and then also an employee WiFi with maybe an old password saved?

Also if they have a cell phone connecting to the WiFi it might do it, you said you use Office 365 but is it actually separate or is there any kind of hybrid setup or azure AD where the accounts are shared? They also might still have the old exchange account still setup. No idea why it would only try connecting while in the office but maybe there is still some dns stuff lingering around that on the network it can try to authenticate and fails.

Check windows credentials and make sure it doesn’t have something saved trying to map a drive or something. Speaking of mapped drives make sure there isn’t one showing disconnected because it’s trying the old password.

[-]

irlDufflepud@reddit

Have we confirmed it’s for certain the laptop? I’ve had office applications lock a user out having cached an old login on a mobile device. Can relogin to any app/website the user accesses associated with their user account on the phone and it should fix.

[-]

Advanced_Day8657@reddit

Search on YouTube "Powershell investigate user lockout". I think the video by Jacked Programmer will help you.

[-]

StorminXX@reddit

This happened to me once. I used this free tool to tell me where the issue was. https://www.netwrix.com/account_lockout_examiner.html. I do not work for them and this is not a promotion for them.

[-]

knifto@reddit

Did you analyse the security events?

[-]

RedditAutoCreated@reddit

It's a device like a printer using windows credentials to authenticate to a folder or email service.

[-]

deefop@reddit

99.9% chance there's cached credentials either on their PC or on their phone trying to authenticate over and over.

[-]

GeekgirlOtt@reddit

"they will come into work and their laptop is already locked before they touch it."

Are they bringing the laptop in with them or could someone else be fingering it overnight ?

"both pointed that the lockout must be coming from the user's PC." - does it identify WHICH PC? Could his account be active on another PC ?

[-]

SilentMaster@reddit

We used to have a shared account that like 8 people were using. It happened to that one a ton. It was a user in my case doing something idiotic, once I found that person I retrained them it stopped happening. I would be this is the same root cause, a user doing something stupid.

[-]

G305_Enjoyer@reddit

probably using legacy mfa type that passes 100% of failed password attempts to AD from online hacker attempts.

[-]

autogyrophilia@reddit

Wazuh is free, if a bit of a bitch to upgrade. I'm surprised how many orgs do not have any basic SIEM tool to agregate authentication events.

[-]

joeytwobastards@reddit

You say it's not email related. Make sure they haven't set up Activesync on their phone.

[-]

shunny14@reddit

Do they have a basic/common username like bob?

[-]

Boring_Pipe_5449@reddit

For us this most of the time was mobile laying around somewhere with old credentials trying to connect.

[-]

TheRogueMoose@reddit

Is it a domain joined machine? I actually had this issue with our staff when I would give them a machine that was joined to the domain. The VPN (using Windows built-in) had to use the same credentials as their domain login. Thankfully was easy enough on our firewalls, can pull users directly from LDAP/AD.

[-]

S1anda@reddit

What are the odds a fellow employee is trying to login to change this users a screensaver or some dumb sheiße? Wouldn't be the first time...

[-]

Trinity_McDuff@reddit

Try checking the stored passwords with this command, its a different area than cred manager:

Rundll32.exe keymgr.dll,KRShowKeyMgr

[-]

datec@reddit

You will need access to the audit logs on the DC to see where the bad password is coming from.

There are a few things locally you can check on their device but this won't help if the bad passwords are coming from another device, like an old computer or someone trying to use their credentials. Check task scheduler and the services on their PC to see if anything is set to use their account.

Changing their user name is not solving the problem it is just sweeping it under the rug.

[-]

thortgot@reddit

What does the security log on the endpoint say?

There will be a corresponding failure locally and on the DC.

[-]

hardboiledhank@reddit

Conditional access to block countries you dont need to give access to

Perimeter network blocks to do the same if your firewall supports it

[-]

BrianMichaelArthur@reddit

Do they access any Microsoft stuff from a phone or tablet? What is your current password policy for users? Have you tried reaching out to corp to get the access logs from the DC for that user?

You mention on site and that they travel. Do they have this issue at other sites or is there only one site in question?

Do you have guest wifi onsite that they can try and connect through to see if maybe something in the physical network is causing issues?