As the title states, this happens randomly to Windows 7 accounts on our Windows 2008R2 domain controller.
We just had this start happening after changing from 123together hosted exchange to Rackspace hosted exchange. Also around this time our passwords on the DC started expiring, but not the exact day, and everyone has different days they need to change it before.
It has only affected 10 out of 30 accounts (I know which ones it is), and I see no link between them.
How can I figure out what services are trying to log on and fail?
When we switched to Rackspace Hosted Exchange I came across the same issue. I even purchased Netrix Lockout Examiner to try to nail down the issue to no avail.
After trying to figure out why some users were locked out often and some were not I finally realized that the ones getting locked out were the ones with the same Windows login name as their email address. What I suspected was the case the whole time definitely was.
Outlook passes the [email protected] credentials to the server on it's way out to Rackspace and since technically [email protected] is the same on your DC and the passwords are different it locks them out.
You have two options (neither are very great): 1. Have all your users keep their Exchange password the same as their Windows 2. Rename their Windows login name to a different naming scheme from your email (John.Doe Vs. jdoe)
I spent so many hours on this and contacted Rackspace and Microsoft and neither were able to offer a better solution. With this information, if you are able to pursue a better solution please do share.
Before you can go fixing things, you have to actually identify the problem.
Start by enabling Audit logging on your DC for Account Logon events. Then trace out where the bad password attempts are coming from. The Account Lockout & Management Tools will help identify the last bad password attempts on an account (use
lockoutstatus.exe).AD accounts don't lock themselves out, so something/someone is creating bad authentication requests for these users.
It is Outlook. I had a user open and close just this program, and it took a couple seconds to connect to the server, and then when I ran Lockoutstatus (from Account Lockout Tools), every "bad password" coincided with the exact time that he opened Outlook. It was between 3 and 5 "bad attempts" per opening, though, not just one.
We use Rackspace Hosted Exchange 2010, though. We DO use the same [email protected] as we do for logins on our domain controller. So, I'm [email protected] and I also logon to our DC as matt.hughes
How can this be solved, and why on earth is it only affecting a few people and not all of us?
I found something that finally stopped it.
I entered the Rackspace unique username that they have on record for our system. You have to contact them to get this list. I put this unique username in Windows credential manager for Outlook instead of my email address and did not change the password. So instead of "[email protected]" for the user, I now had "mex05\johnny.hendricks_mydoB3039" as the username.
This fixed it for a few users. For the remaining, I found an additional thing that I had not thought of before.
In Active Directory, if you go into the User Properties, look at the username's @_______ We had everyone at johnny.hendricks for username and in the dropdown, we had @mydomain.com I switched this over to @mydomain.local, and it fixed everyone's bad password attempts. This may have been the original problem, but the other fix worked as well so who knows.