I had this same problem at different companies and each had a different reason.
1.)Make sure that the account being locked was never used to install software on someone's workstation. Sometimes a programmer or someone with high enough privs at the workstation will install software and the software will load using that person's account instead of the "Local Admin, Domain Admin, or a System" account. Eventually, as that person changes their password, all software that was installed and configured the software's "service" to load and use the incorrect password. You can get software that can monitor the Events at the workstations or simply browse for the correct Event remotely on suspected workstations. I know there are scripts and other software that can easily do this for you. 2.) Someone really is trying to use their account to log in 3.) Someone doesn't like this person or is playing a joke on them and locking their account. We use to play around when we were just Help Desk jockeys, come in early and attempt 3 incorrect logins just to lock someone's account as a joke. Then tease the person later as they have to call the Admin to unlock it that they're incapable of logging incorrectly or remembering their own passwords. If I recall, I used Hyena to locate the computer that was having the problem but there should be plenty of software to do this for you. Make sure that you enable the account lockout auditing on the domain. I remember once reading that even with auditing on, the workstation may or may not log the Event at the server. Instead, it logs it locally. I don't recall why this happens, however. Hope this helps. ----- Original Message ----- From: "Lists" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]> Sent: Monday, June 24, 2002 10:40 AM Subject: NT4 Account keeps getting locked out! Network info: NT 4 server network with W2KPro clients. Situation: We have a user that keeps getting their NT account locked out for reasons that we are not yet aware. Unable to get much info from Event Viewer on NT4 servers or W2KPro client. Don't know if this is being done by someone intentionally (somewhere on the network or from the client's computer) just to give us a hard time, or a rouge program somewhere on the network or client's computer trying to logon as that user. At this time, we are not ruling anyone out, everyone is suspect. We have replaced the client's computer (not totally, user copied shortcuts and some files back to the new desktop...I know, if it was up to me they would not have been allowed to do this, but it's not up to me) and the account is still getting locked out. We are in the process of creating a new NT account for this user and see if it still occurs. Bottom Line: We need to find out what is causing this account to get locked out and prevent it from happening again. Some thoughts: Is there third party software that will be able to determine what is causing this account to get locked out? Some sort of sniffing program on the server or the client to find out what program is trying to logon with this account and from where? If this is a user doing this intentionally, what are they doing and from where? Are they trying to connect remotely to the client's registry, or to a share on the client computer? Is there third party software that can help? Any suggestions/recommendations welcome. Thanks, Jack
