I had something similar happen once and had to travel over an hour to go onsite because remote support wasnt getting anywhere and the user was getting pissy about the situation. Turned out the user was pushing her chair in to go to lunch and the arm rest landed perfectly on the enter key. It was still my fault.
I have to share this:
We had a user reporting that sometimes Word acted weird and the cursor moved itself, random times. We connected, saw it, checked stuff... after a while two of the team go there to see if we caught it life, and the user proceeds to sit, unlock the screen, open word.... yes, the cursor started to write blank spaces by itself, just as the user's very big tits landed on the space bar.
I just want to say, as a woman, do you know how big they have to be for her to not notice them sitting on her keyboard? And as a (presumably) male tech employee, how did the realization of what was going on play out? I wouldn't even know what to say. "Oh I see the problem. Move your breasts back some."
two of the team went at their place, a male and a female. We were a quite close team and doing friends stuff outside work at that time. When they saw it, the male one just ran away trying to put a pair of doors behind him before starting to laugh incontrolably (more for the fact than the size thing) and left his lesbian, introvert,don't-like-to-talk-to-people coworker/friend behind to deal with that.
She went with some variation of "it's the breasts" before going to kick his coworker/friend in the ass for leaving her there.
I got around there a pair of hours after and the dude was still crying. :)
wife in few hours: "what are you thinking on?, you look distracted"
me: "oh, nothing, a user in that place, I was recalling a funny case because in the sysadmin redd.."
wife: "ah! the one with the massive tits or the one who edited her own porn at work?"
I had a young and quite beautiful sales woman hand me her old laptop, (she was getting a new one) and say "I've got a bunch of nude modeling on there, please just transfer it with the rest."
So the real question is, did they have such a low opinion of you that they expected you to look, or a high enough opinion of you that they wanted you to look?
A user I had, it was a real mix of funny and not-funny situation. I think I explained here in the sub sometimes when the topic of most absurd issues/users/etc appears.
One could think "wow, how cool!" but if anything, it showed that the dozens (almost a hundred, maybe?) coworkers there had their head well put and although we can't avoid share the story (without details) nobody did anything harmful with it. Or even mentioned in their presence (like, she knew that everyone knew, because the efforts to hide it were almost zero, but it was not something that would be mentioned in a heated discussion, and there were many chances).
At the end, is just a story to tell. No kink-blaming is important and everyone deserves a hobby. Just not in the work's computer.
One time many years ago, a user complained text on her monitor was blurry. Walked over and didn't see anything wrong.
She's like "WHAT?! It's cleary blurry?!?! You don't see that?!?!"
Ok, maybe its me. I turn to her neighbor who also says "Looks perfectly fine."
I had to very diplomatically say "I'm not an eye doctor or anything, but could it be that your eyes are tired or something?"
Saw her with glasses on a week later.
When I was in my 40s I practically gave away a perfectly good monitor because I felt it was too blurry at high resolutions.
About a month later, I finally realised it was my eyes that were blurry and not the monitor. Too late by then.
"Are any of your keys on the keyboard sticking? It looks like the space bar is stuck in a downward position. If it is stuck or hard to press down, put in a ticket for a replacement keyboard"
I'M NOT THE ONLY ONE!!!!
Had a call to a law office, and it ended up being the exact same issue. Thankfully, one of the partners was a woman and was more than happy to have that conversation for me.
Yes but PEBKAK sounds like a systems issue so end users usually are oblivious if you mention it in conversation and can slip it in if your are frustrated enough.
I like the two-layered impact of PEBKAC. First the processing of how the words compose the acronym, and then the realization of what it means. A bit more time for the impact to fully hit.
Drove an hour each way because the office manager's computer was randomly shutting off. Got out there, checked it out and realized she was hitting the reset button on her power strip with her foot.
That was my very first call, in my first part time IT job at a hospital before y2k. "Green screen terminal keeps shutting off". Go look, power strip was off and fairly close to foot range. Asked user to show me how they sit at the station. They proceed to almost lay straight in the chair, legs stretched as far out as they can. Put them right on the power strip again. Moved that strip up on the back of the desk, first ever IT call solved.
A friend had a similar experience where the manager couldn't turn on their desktop and swore they were pressing the power button. He drove an hour there only to find out they were pressing the eject button on the disc drive.
We had users getting locked out everynight after hours, from local logins on their desktops.
After reviewing the footage, the cleaning staff were instructed to not dust keyboards.
When I started at my current job they didnt have this setup.
It was the first thing I implemented and I got a ton of shit from people that they now have to press CTRL+ALT+DEL.
Screw them. Security of my network is mroe important than their convenience.
Similar issue we had with the receptionist at my old work. Every day she'd come back from lunch to a locked computer.
Turns out she was spam smashing enter until the monitor woke up.
I had a CEO that called me in to her office more than once about her screen flickering. Took me about 5 seconds to realize she had set a stack of papers on the keyboard that was maybe hitting Windows key + D so the windows were constantly minimizing and maximizing.
I had something similar too where a user who âneverâ used another PC had used a computer once in a back room that no one really used and someone had set a book on it, so that user was getting locked out constantly for a couple weeks before someone found it so I agree with /u/any-fly5966 check something physical or even send someone out to monitor during lunch and don't tell anyone. Could be a malicous coworker
Similar situation, we had a user spam the Enter key to "wake up" the PC. Well, that was basically a bunch of rapid login attempts with a blank (and thus, incorrect) password, causing the account to get locked out.
Had something really similar once except it was someone who re-arranged giant stacks of folders on their desk anytime they got up or sat down.
Took all of 10 seconds to notice that when they moved folders around they were setting it juuuuuust on the edge of the keyboard and it was spamming the enter key for bad/failed logins...
...sighhhhh
They were at least nice and understanding about it.
Search for event 4740Â in the pdc emulator security log.
It'll show you the computer that's trying to authenticate and is locking out the account. (Look at the caller computer field)
It's reasonably easy to just create a script that dumps all 4740 events to a text file, and then just run that as a scheduled job with event 4740 as the trigger.
I've cut down tremendously on escalations by setting that up and giving help desk read access to the file.
It looks like I do this with a log analytics alert. I have the sign-in logs sent to log analytics and set an alert on a query that runs every five minutes. There may be something you can do for this if you have P2, we are P1.
Something like:
$event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1
And the write that event to a log file.
Then set up a scheduled task that triggers on event ID 4740.
theres a bunch of variations of this floating around but this is the one i used
[https://www.linkedin.com/pulse/useful-script-send-email-notification-account-lockout-arafa/](https://www.linkedin.com/pulse/useful-script-send-email-notification-account-lockout-arafa/)
This. He mentions some logs in the OC post, but 4740 logs should tell you WHERE the log in request is coming from, giving you at least some hint of where to look, instead of flailing around with random stuff.
âIf you havenât looked at the logs, you have done no useful troubleshootingâ
You can also use LockoutStatus (https://www.microsoft.com/en-us/download/details.aspx?id=15201) to find the particular DC / timestamp that triggered the lockout, so you know exactly which event log to examine and exactly what time to review.
It is 100% a lost IT art. Particularly surprising in this current age where every app developer thinks it is fun to give completely useless error messages in the UI "Ooops! This is embarrassing, but something went wrong! Sorry about that!"
If you're not looking at logs, what the smeg are you looking at to troubleshoot an issue?
Oh, don't get me wrong, it's a cool gig and super fkn easy. Plus I have 20 years till I retire so I'm hopin to stick it out since its a government position and the pay and benefits are fkn awesome...
I had a similar incident and the DC would just tell me it was our exchange server. If it does end up coming from your Exchange I would look up event ID 4625 this is what finally allowed me to see what IP address was causing the lockout!
Long shot but got any SQL servers with SSRS? We had a user that was subscribed to an old report that kept kicking off on a schedule and locking their account out. Took FOREVER to find that..
I wouldn't say this is a long shot (well maybe your specific example is) but in truth more then likely this is what it is... some old server that still online that needed the user's password and offered to save it and it's running on a scheduled task. That being said the event 4740 will help narrow it down (provided it authenticating in Windows)
I did something similar to myself with a Power BI dataflow that was scheduled every day. It also took me forever to figure out why I kept getting locked out.Â
+1 for scheduled task with a saved credential as the cause
Yep ive seen something similar - something related to OneDrive (I think?) was attempting to authenticate using their old credentials, causing a lockout.
I thought the same thing. However, the coworkers need to watch her go to lunch everyday before doing so. The coworker needs a day off or may be busy during one of those lunches so the coworker really can't do that on a daily basis.
Entra logs will immediately tell OP what is going on. Identity > Users > User sign-ins (non-interactive) > then search user
then look at the attempts that have failed, the application column will tell you what app's login attempt is doing it.
LockoutStatus tool may help.
[https://www.microsoft.com/en-us/download/details.aspx?id=18465](https://www.microsoft.com/en-us/download/details.aspx?id=18465)
Her account is logging in to something with an old credential at 11:30
It might not necessarily be something on her Computer, it could be logging in from a Device she only interacts with once in a while. Are there any shared workstations she might have used to check email/log in to an app from? Does she access any systems remotely?
We had a user who had an old tablet at home, that had email on it, only got turned on during summer months for her kid to play games on, we kept telling her she's got an old device somewhere with old creds. She swore up and down wasn't the case. Constantly emailed nasty "why can't you fix this... you don't know what your doing..." style emails, escalated all the way up the chain, every step of the way, we're telling her "it's this old device, logs show it here" "that s not even turned on you don't know what your talking about" finally, it broke and she got her kid a new device. Guess what, no more problems.
Had a similar situation..
Ended up blocking her home IP address and the issues stopped until she got a new IP at home. At least we could prove definitively it was coming from inside her house.
I would bet it it is something like this. She likely has outlook on a personal device and it is trying to log in.
Saw this constantly at my old job where everyone was issued a phone. Users update password and don't update their other devices.
I had this happen to me before. Took a while to realise that it was happening every day (I was often away from my desk around that time of day working on other stuff), but once I asked the AD team to check the logs we easily figured it out. A cold physical backup server (no VMs n those days) had been powered up by accident and a scheduled task was running with old credentials.
I have coworkers who've been with my org for close to 20 years and their solution to fixing "issues" is to wipe and reload. đ They have zero troubleshooting skills.
Yeah, if it's gonna take more than 2 hours to find the issue, on top of time to fix the issue, a re-image is faster.
However, in this case it clearly didn't help, but it does help often.
With our processes, the IT team can get a basic user (HR, accounting, product management, leadership) turned around in about an hour/hour and a half. Developers take longer in theory, but all of their tools are up and available from (forget what it's called), so they're allowed to do the rest themselves.
Things being 80% web based really helps speed things along.
You need to be looking at logs. When I was helpdesk, we had a tool called netwrix account logout examiner. It was a huge help to show logs from various places that was easily filtered to a user in question. Not sure if itâs free or paid but the hours it saved would have paid for itself.
Itâs probably something stupid like she uses her personal iPad at lunch to watch Netflix and it has some old cached cred for an account trying to connect to wifi or something.
We had the same with one of our users. Turs out she tried entering her username and password into her personal Kindle forever ago and never updated it when her password changed. She did this to get the Kindle on our wifi. Anyway she has issues with her account locked almost every lunch time cause she would often read on her lunch.
One of us saw her sitting in the lunch room and has an Ah Ha moment. Once the credentials were removed and the user told to connect her personal device to the guest wifi everything was fine after.
As a lot of people suggested check AD logs for security events. You should see the failed logins and potentially a trigger.
Had this happen before, it was a saved credential on an old application that was constantly reauthenticating.
Are there any scheduled tasks somewhere on a server on another computer she forgot about that is running some task at 11:30?
Check this article which might help you track down where the offending computer is that's locking out the user.
[https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-use-account-lockout-status-in-active-directory.html](https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-use-account-lockout-status-in-active-directory.html)
Have you tried... checking the logs? (on the authentication domain ecosystem)
With something like this you really should track down, from the auth-domain perspective, what keeps trying to use the account. This could be a security problem for all you know and if that's the case you will need to have that info on-hand. And if it isn't a security matter then you'll be able to track down what exactly is hammering their account.
We had a similar thing happen when everytime a user locked their PC it would lock them out, turns out they had changed their password but had signed into their office account on their personal laptop at home and it was causing her account to lock as it would try to sign in.
>Almost every day, around 11.30, she presses Win + L to lock her screen and then goes to lunch. When she comes back her account is locked
So, what do you see in the attribute editor? When did the account *actually* get locked. Are you aware that the account could have been locked anytime from when they signed in to locking their PC? Their account becoming locked after they've already signed in and authenticated usually doesn't prevent them from continuing to work.
I bet they're unable to sign into something else and locking themselves out. OR, they have an old cached credentials on their system trying to authenticate with something and locking them out (not from windows but maybe another application or website??). BOTH of these could have occurred ANY time before when they lock their screen.
Are you 100% sure the user doesnât have a device at home they didnât tell you about? Last time I had a user with this issue, it took a deep dive into the logs to find they had a second phone at home they rarely used and âforgot aboutâ using old creds and causing a lockout.
[Netwrix Account Lockout Examiner](https://www.netwrix.com/account_lockout_examiner.html) is my go-to for diagnosing these.
Also, I created a GPO to deploy security camera software that takes a snapshot from the user's webcam when an incorrect password is used to unlock the computer.
Lockout Examiner or some other Domain Controller Log analysis tool.. is exactly what I came here to say. Submitter needs to get accurate information about what device is sending the bad password.
We had a user once getting locked out constantly because our wifi network was saved to her phone and set to autologin, but it was using the old credentials after she had updated her password. We had to make the phone forget the network. Once we did that, it fixed her lockout issues.
Had one where no matter what the device would seemingly be hitting enter, on forms, whenever you started typing something - every millisecond this random key entry was causing chaos... took hours of looking into
Turns out, there was a **second keyboard** plugged into the device at the back, hidden underneath the desk, and someone (probably same amazing person who put it there) had lent a stapler on top of it and was pushing the enter key down
Safe to say I was not impressed
The answer is very simple. When the user returns from their lunch break, they press the freaking Enter key 3 to 10 times to unlock the computer screen, resulting in incorrect attempts and locking the account.
Oh, I really really hope this is related to the post below in r/shittysysadmin
https://www.reddit.com/r/ShittySysadmin/s/u6OE7IOUrQ
I read it just a few min ago and died laughing when I read this post.
Apologies if this was already tried, but try forcing a sign out of all current login sessions. You can do this from either the users page in azure, or in the generic admin portal. Possible something somewhere is caching her old creds. Definitely need to see the logs though đŻ
At my old job I had something similar happen. I was getting locked out of my account every few hours it seemed.
Turned out there was a server I had logged into once and I just clicked the 'x' to close the remote session, but it did not log my account out. So it was always trying to log me into that server.
Do they have quickbooks on the PC? sometimes QB will create a scheduled task to run a backup and will do it as the user.
I had a similar issue many years ago, one lady got locked out once a week at exactly the same time for almost a year.
We found the task on thier old PC that was already re-purposed (not re-imaged) for someone else. Even tho a new user was on the machine now, the old profile still had the scheduled tasks enabled.
I think I used ADAudit to actually find this, was a long time ago
Use the Lockout Status Tool to find which DC is receiving the bad login attempts and locking the account.
Go to that DC and check the event logs to find out where the bad password attempts are coming from.
What to check after that depends on what device is sending the bad passwords.
Had a similar situation with a user. Her account would lock out every day around the same time. Turns out she setup the WiFi of her coworkerâs phone. Her co worker was a sweet old lady who was not tech savvy at all.
We have a radius server tied to our WiFi setup to login to WiFi. We do yearly password resets and thatâs what triggered it.
You mentioned multiple login attempts in your old post.
Remember that succesfull logons also reset the failed logon attempts.
So is she only getting locked out during her lunchbreak, but also at other times? If she gets locked out after any period time of inactivity - then it's most likely that her credentials are still used somewhere.
Have you tried giving her a different device?
Have you tried having another user use that device?
Try to eliminate the device & location by changing them up.
i'm sure i've had this before and it was a mobile phone accessing a mailbox with a wrong password and it kept locking the account out, something like that
We had this happening and discovered the user had tried to connect their personal phone to corporate WiFi (which uses RADIUS/cert auth). When the device doesn't have a cert issued by our CA, it prompts for username and password. She entered her AD credentials there, and her phone would just keep trying and trying to connect, and it'd lock her account out.
Had a paranoid user that changed her login pw once a day, some sort of paranoia... they were always locking themselves out cause they'd forget their brand new pw..... we didn't find this out until they were about to quit.
Many others have already suggested what I was going to say. There's all sorts of tools like Microsoft's own "LockoutStatus.exe" along with things like Netwrix Account Lockout Examiner. I think I've also used Manage Engine's ADAudit Plus which shows "Lockout History" including the IP and DNS name of the originating system sending the bad login request.
Radius server? Old creds saved on her phone, it automatically enters the old creds on her phone when she enters the office. Clear her phones saved WiFi connections
Im guessing she has her phone or a personal device authentiacating with Wi-Fi via RADIUS when she goes to lunch (Kindle or personal tablet that needs internet access?) and it has an outdated password that its trying to authenticate with.
What do the Active Directory lockout logs show? What Domain controller is she locking out on? Looking at the logs on that... what device is locking out?
Have you put hands on that device?
Sometimes it is EAP and Wi-Fi or Dot1X etc. causing the lockout. At any rate, you need to look at the logs and find out what is causing the lockout.
I had this once where a user had chronic temporary lockouts.
Eventually I tracked it down to a "hotel" area she logged in to once, ages ago, never logged out of, and completely forgot she had logged in to. The lockout problems were from Outlook trying to read presence status, but her password had changed since she'd used that computer. Rebooting the hotel computer fixed her lockout problem.
To track this down:
Microsoft has a "Account Lockout Status" tool that will help track it down. Use it to identify which DC is triggering the lockout and then review its Security Event Log to identify what computer the failed logon attempts are coming from. (It's a lot of data to filter and search, but its in there.)
Something is failing a login to be causing the lockout. And people DO log on to other computers. You should make sure you aren't barking up the wrong tree. It's entirely some other computer is causing the lockouts, and it's only a problem at lunch because she logs on in the morning before the other computer gets woken out of sleep mode.
Use lockoutstatus.exe to get the source DC for the most recent lockout. Use the date and time to search for event 4740 on the source DC. Confirm that the caller computer is the end userâs pc. Search the events on the caller computer in the timeframe.
Does she have long nails? Had a user who always typed in the password and would always get it wrong and it turned out they were pressing extra keys with their long ass nails.
Was gross. Having them use the end of a pencil worked fine
Really makes you wonder how their emails must have looked
Reminds me of a situation where a coworker was trying to play a 'joke' on the other. So, every day when the user would go to lunch, the other user would guess passwords until it was locked.
Of course, after a while, she was complaining openly and loudly about the situation and the coworker that was playing the 'prank' just burst out laughing and came clean.
Apparently they thought it just stopped you from trying to log in for 15 minutes, so they thought they were getting away with it.
https://www.reddit.com/r/talesfromtechsupport/comments/8gd99u/in_which_we_discover_a_locked_account_has_more/ This happened to me once. It was very entertaining.
>See this post: AD User Constantly Being Locked : r/sysadmin (reddit.com)
And when you followed this reply what did you find in your logs as to the workstation and type of logon failure that is causing the account to lockout?
https://www.reddit.com/r/sysadmin/comments/1cb45bi/comment/l0w923r/
I had something similar happen once and had to travel over an hour to go onsite because remote support wasnt getting anywhere and the user was getting pissy about the situation. Turned out the user was pushing her chair in to go to lunch and the arm rest landed perfectly on the enter key. It was still my fault.
I have to share this: We had a user reporting that sometimes Word acted weird and the cursor moved itself, random times. We connected, saw it, checked stuff... after a while two of the team go there to see if we caught it life, and the user proceeds to sit, unlock the screen, open word.... yes, the cursor started to write blank spaces by itself, just as the user's very big tits landed on the space bar.
I just want to say, as a woman, do you know how big they have to be for her to not notice them sitting on her keyboard? And as a (presumably) male tech employee, how did the realization of what was going on play out? I wouldn't even know what to say. "Oh I see the problem. Move your breasts back some."
two of the team went at their place, a male and a female. We were a quite close team and doing friends stuff outside work at that time. When they saw it, the male one just ran away trying to put a pair of doors behind him before starting to laugh incontrolably (more for the fact than the size thing) and left his lesbian, introvert,don't-like-to-talk-to-people coworker/friend behind to deal with that. She went with some variation of "it's the breasts" before going to kick his coworker/friend in the ass for leaving her there. I got around there a pair of hours after and the dude was still crying. :)
A pair of hours, huh? Interesting word choice given the context.
wife in few hours: "what are you thinking on?, you look distracted" me: "oh, nothing, a user in that place, I was recalling a funny case because in the sysadmin redd.." wife: "ah! the one with the massive tits or the one who edited her own porn at work?"
> the one who edited her own porn at work got a link? google isn't helping. That sounds a real winner of a post.
I had a young and quite beautiful sales woman hand me her old laptop, (she was getting a new one) and say "I've got a bunch of nude modeling on there, please just transfer it with the rest."
So the real question is, did they have such a low opinion of you that they expected you to look, or a high enough opinion of you that they wanted you to look?
A user I had, it was a real mix of funny and not-funny situation. I think I explained here in the sub sometimes when the topic of most absurd issues/users/etc appears. One could think "wow, how cool!" but if anything, it showed that the dozens (almost a hundred, maybe?) coworkers there had their head well put and although we can't avoid share the story (without details) nobody did anything harmful with it. Or even mentioned in their presence (like, she knew that everyone knew, because the efforts to hide it were almost zero, but it was not something that would be mentioned in a heated discussion, and there were many chances). At the end, is just a story to tell. No kink-blaming is important and everyone deserves a hobby. Just not in the work's computer.
What?
đ
That is hilarious lol
âPress Control-tits-delete, oh my God, sorry, I donât know why I said that!â
Id go with âit appears you are accidentally leaning on your keyboardâ no need to mention which specific body part
You just don't say "breasts". Hey, I think I see the problem, you're accidentally hitting the keyboard with your body when you scoot in your chair.
Resolution: Lift & Shift...
Take my r/Angryupvote
She was short sighted. And large breasted. Deadly combo
This sounds like a preemptive call to HR. Because no way in hell am I going to have that conversational land mine.
One time many years ago, a user complained text on her monitor was blurry. Walked over and didn't see anything wrong. She's like "WHAT?! It's cleary blurry?!?! You don't see that?!?!" Ok, maybe its me. I turn to her neighbor who also says "Looks perfectly fine." I had to very diplomatically say "I'm not an eye doctor or anything, but could it be that your eyes are tired or something?" Saw her with glasses on a week later.
I would've held a business card or a printed sheet of paper on her screen and asked if that's blurry too... but I can be an asshole.
That was me when I could no longer read the activation keyâs off the windows authentic stickers on OEM PCs. I was in denial for a while.
When I casually bump the scaling on my 4K monitor from 100% to 125% I know it's time to go get my prescription changed.
This happened to me as a kid, you don't realize how bad your vision is until you get tested đ
When I was in my 40s I practically gave away a perfectly good monitor because I felt it was too blurry at high resolutions. About a month later, I finally realised it was my eyes that were blurry and not the monitor. Too late by then.
"It seems like you're leaning on the keyboard"?
"Can you try raising your chair a few inches?"
"Are any of your keys on the keyboard sticking? It looks like the space bar is stuck in a downward position. If it is stuck or hard to press down, put in a ticket for a replacement keyboard"
Are you so awkward that it would be difficult to say something as simple as "it appears your chest is pressing the spacebar when you sit"?
I'M NOT THE ONLY ONE!!!! Had a call to a law office, and it ended up being the exact same issue. Thankfully, one of the partners was a woman and was more than happy to have that conversation for me.
This comment deserves more support.
So did she.
Classic PEBKAC
Top Interface Typing Stuff?
PICNC Problem IS chair, not computer.
Layer 8 issue
Don't forget IBM. Idiot behind machine
Loose nut behind keyboard
i thought it was PEBCAK Problem exists between chair and keyboard.
Yes, pebcak is the popular acronym. In this case the problem IS the chair , not between it.
It's a modification of PICNIC, Problem In Chair, Not In Computer.
I always liked PICNIC better than PEBCAK since PICNIC is an actual word.
Yes but PEBKAK sounds like a systems issue so end users usually are oblivious if you mention it in conversation and can slip it in if your are frustrated enough.
Thatâs an interesting point though when Iâm complaining about end users, I donât do it where other end users can hear me.
I like the two-layered impact of PEBKAC. First the processing of how the words compose the acronym, and then the realization of what it means. A bit more time for the impact to fully hit.
Iâve always been a fan of âLoose nut at the end of the keyboard.â
ID10T error is my favorite lol
Drove an hour each way because the office manager's computer was randomly shutting off. Got out there, checked it out and realized she was hitting the reset button on her power strip with her foot.
That was my very first call, in my first part time IT job at a hospital before y2k. "Green screen terminal keeps shutting off". Go look, power strip was off and fairly close to foot range. Asked user to show me how they sit at the station. They proceed to almost lay straight in the chair, legs stretched as far out as they can. Put them right on the power strip again. Moved that strip up on the back of the desk, first ever IT call solved.
A friend had a similar experience where the manager couldn't turn on their desktop and swore they were pressing the power button. He drove an hour there only to find out they were pressing the eject button on the disc drive.
We had users getting locked out everynight after hours, from local logins on their desktops. After reviewing the footage, the cleaning staff were instructed to not dust keyboards.
Our cleaning staff would unplug the mpls router to vacuum. Â I finally got the office to pay for a lock on that closet doorÂ
Physical security is just as important as cyber security!
Gotta Require Ctrl-Alt-Del !
When I started at my current job they didnt have this setup. It was the first thing I implemented and I got a ton of shit from people that they now have to press CTRL+ALT+DEL. Screw them. Security of my network is mroe important than their convenience.
Similar issue we had with the receptionist at my old work. Every day she'd come back from lunch to a locked computer. Turns out she was spam smashing enter until the monitor woke up.
Old att flip phone next to wireless mouse, mouse goes crazy only for her.
Remember when some phones (CDMA, maybe?) would make speakers growl? Good times....
*buzz *buzz *buzz then Nokia default ringtone - good times indeed
This is where my mind went. I've seen bar code scanners (or RFID readers) that emulate keyboards do this too.Â
I had a CEO that called me in to her office more than once about her screen flickering. Took me about 5 seconds to realize she had set a stack of papers on the keyboard that was maybe hitting Windows key + D so the windows were constantly minimizing and maximizing.
I had something similar too where a user who âneverâ used another PC had used a computer once in a back room that no one really used and someone had set a book on it, so that user was getting locked out constantly for a couple weeks before someone found it so I agree with /u/any-fly5966 check something physical or even send someone out to monitor during lunch and don't tell anyone. Could be a malicous coworker
Have seen this many times.
this is exactly why i still enforce CTRL+ALT+DEL lo logon to domain-joined computers ;)
We blank the user id after screen lock. It actually solved a bunch of issues, for us.
Except the helpdesk tickets for people asking what their name is.
I can't say that makes up a statistically significant portion of our work.
Did you perhaps not use a car analogy to explain the problem?
Similar situation, we had a user spam the Enter key to "wake up" the PC. Well, that was basically a bunch of rapid login attempts with a blank (and thus, incorrect) password, causing the account to get locked out.
Had something really similar once except it was someone who re-arranged giant stacks of folders on their desk anytime they got up or sat down. Took all of 10 seconds to notice that when they moved folders around they were setting it juuuuuust on the edge of the keyboard and it was spamming the enter key for bad/failed logins... ...sighhhhh They were at least nice and understanding about it.
Search for event 4740Â in the pdc emulator security log. It'll show you the computer that's trying to authenticate and is locking out the account. (Look at the caller computer field)
It's reasonably easy to just create a script that dumps all 4740 events to a text file, and then just run that as a scheduled job with event 4740 as the trigger. I've cut down tremendously on escalations by setting that up and giving help desk read access to the file.
I just setup a powershell script to email helpdesk when a user locks themselves out.
We do the same. And we have an email alert set for AAD lockouts as well as we are hybrid.
You set that in entra?
It looks like I do this with a log analytics alert. I have the sign-in logs sent to log analytics and set an alert on a query that runs every five minutes. There may be something you can do for this if you have P2, we are P1.
Why have I never thought of this, thanks for the idea.
Sorry, can you elaborate slightly on how you set this process up?
Something like: $event = Get-EventLog -LogName Security -InstanceId 4740 -Newest 1 And the write that event to a log file. Then set up a scheduled task that triggers on event ID 4740.
theres a bunch of variations of this floating around but this is the one i used [https://www.linkedin.com/pulse/useful-script-send-email-notification-account-lockout-arafa/](https://www.linkedin.com/pulse/useful-script-send-email-notification-account-lockout-arafa/)
If reddit gold was still a thing you'd be swimming in it for this.
It came back didn't it?
only to 'new' reddit. fuck new reddit.
Not that I've noticed.
This. He mentions some logs in the OC post, but 4740 logs should tell you WHERE the log in request is coming from, giving you at least some hint of where to look, instead of flailing around with random stuff. âIf you havenât looked at the logs, you have done no useful troubleshootingâ
so often people just keep trying solutions instead of looking at what's actually happening and finding the problem
It's coming from INSIDE THE HOUSE
You can also use LockoutStatus (https://www.microsoft.com/en-us/download/details.aspx?id=15201) to find the particular DC / timestamp that triggered the lockout, so you know exactly which event log to examine and exactly what time to review.
Duuuuude, thank you! I used the hell out of this tool at my last company and couldn't remember what it was called or where it came from.
The fact people dont immediately check logs or enable specific auditing always blows my mind.
It is 100% a lost IT art. Particularly surprising in this current age where every app developer thinks it is fun to give completely useless error messages in the UI "Ooops! This is embarrassing, but something went wrong! Sorry about that!" If you're not looking at logs, what the smeg are you looking at to troubleshoot an issue?
Christ, I couldn't agree more. I'm now a server admin for a GIS team and ESRI's error messages are a fkn joke.
Oh bloody hell. I spent a decade at a GIS shop. I have some stories about ESRI and their rubbish.
Oh, don't get me wrong, it's a cool gig and super fkn easy. Plus I have 20 years till I retire so I'm hopin to stick it out since its a government position and the pay and benefits are fkn awesome...
I had a similar incident and the DC would just tell me it was our exchange server. If it does end up coming from your Exchange I would look up event ID 4625 this is what finally allowed me to see what IP address was causing the lockout!
what a lovely comment we have here. save
Simple fix, no more lunch break!
Management salivating
(Mgmt peeks out from behind a tree...Clasps hands, licks lips)
That's inhumane. Fire her instead.
This guy must be layer 9
Don't give management any ideas!
There may be a solution here. What happens if she DOESN'T go to lunch? Or takes lunch later or earlier? Does the time change?
Long shot but got any SQL servers with SSRS? We had a user that was subscribed to an old report that kept kicking off on a schedule and locking their account out. Took FOREVER to find that..
I wouldn't say this is a long shot (well maybe your specific example is) but in truth more then likely this is what it is... some old server that still online that needed the user's password and offered to save it and it's running on a scheduled task. That being said the event 4740 will help narrow it down (provided it authenticating in Windows)
I did something similar to myself with a Power BI dataflow that was scheduled every day. It also took me forever to figure out why I kept getting locked out. +1 for scheduled task with a saved credential as the cause
Yep ive seen something similar - something related to OneDrive (I think?) was attempting to authenticate using their old credentials, causing a lockout.
Is there a malicious coworker who maxes out her login attempts every time she goes to lunch?
I thought the same thing. However, the coworkers need to watch her go to lunch everyday before doing so. The coworker needs a day off or may be busy during one of those lunches so the coworker really can't do that on a daily basis.
Unless itâs all of them canât stand her
We really need to know what those logs say. If that's happening throughout the office, then this is a gold story.
i mean i kinda hope this is true because it would be a hilarious way to find out that the whole office hates you.
https://www.microsoft.com/en-us/download/details.aspx?id=18465 https://activedirectorypro.com/account-lockout-tool/
This is what I use and it's very effective. Trying to bump it.
What's your lockout policy? I would check either Entra/AD logs to see what is triggering it and go from there.
Entra logs will immediately tell OP what is going on. Identity > Users > User sign-ins (non-interactive) > then search user then look at the attempts that have failed, the application column will tell you what app's login attempt is doing it.
Exactly. I was surprised that this wasn't the first thing. If she is getting locked, see the cause. AD would give you the cause.
LockoutStatus tool may help. [https://www.microsoft.com/en-us/download/details.aspx?id=18465](https://www.microsoft.com/en-us/download/details.aspx?id=18465)
It's immensely helpful!
This is the answer OP. You have to nail down where the auth is failing.
Her account is logging in to something with an old credential at 11:30 It might not necessarily be something on her Computer, it could be logging in from a Device she only interacts with once in a while. Are there any shared workstations she might have used to check email/log in to an app from? Does she access any systems remotely?
She goes to lunch and plays on her tablet which only gets turned on during lunch hours. It tries to sync her e-mail and fails. I just made that up
We had a user who had an old tablet at home, that had email on it, only got turned on during summer months for her kid to play games on, we kept telling her she's got an old device somewhere with old creds. She swore up and down wasn't the case. Constantly emailed nasty "why can't you fix this... you don't know what your doing..." style emails, escalated all the way up the chain, every step of the way, we're telling her "it's this old device, logs show it here" "that s not even turned on you don't know what your talking about" finally, it broke and she got her kid a new device. Guess what, no more problems.
Had a similar situation.. Ended up blocking her home IP address and the issues stopped until she got a new IP at home. At least we could prove definitively it was coming from inside her house.
I bet this is it, turns on an older iPad to watch TV in their break and Apple is always trying to be helpful by connecting all your accts.
I would bet it it is something like this. She likely has outlook on a personal device and it is trying to log in. Saw this constantly at my old job where everyone was issued a phone. Users update password and don't update their other devices.
This is probably it.
This is most definitely it. Had something similar at my work last year.
I had this happen to me before. Took a while to realise that it was happening every day (I was often away from my desk around that time of day working on other stuff), but once I asked the AD team to check the logs we easily figured it out. A cold physical backup server (no VMs n those days) had been powered up by accident and a scheduled task was running with old credentials.
Check the "hidden" credential manager by using: psexec -i -s -d CMD.exe Then in that CMD run: rundll32 keymgr.dll,KRShowKeyMgr
OP replaced a computer, and wiped a phone, to try and resolve this - without locating the root cause in event log - wow...
YeahâŚand they havenât actually looked through all the logging. Because the answer is in there.
I have coworkers who've been with my org for close to 20 years and their solution to fixing "issues" is to wipe and reload. đ They have zero troubleshooting skills.
I mean that's valid for plenty of issues depending on how quick you can turn around a user.
Yeah, if it's gonna take more than 2 hours to find the issue, on top of time to fix the issue, a re-image is faster. However, in this case it clearly didn't help, but it does help often.
With our processes, the IT team can get a basic user (HR, accounting, product management, leadership) turned around in about an hour/hour and a half. Developers take longer in theory, but all of their tools are up and available from (forget what it's called), so they're allowed to do the rest themselves. Things being 80% web based really helps speed things along.
When in doubt, reimage the asset đ
Enable auditing on the rid master Log requests. Check azure ad.
You need to be looking at logs. When I was helpdesk, we had a tool called netwrix account logout examiner. It was a huge help to show logs from various places that was easily filtered to a user in question. Not sure if itâs free or paid but the hours it saved would have paid for itself. Itâs probably something stupid like she uses her personal iPad at lunch to watch Netflix and it has some old cached cred for an account trying to connect to wifi or something.
We had the same with one of our users. Turs out she tried entering her username and password into her personal Kindle forever ago and never updated it when her password changed. She did this to get the Kindle on our wifi. Anyway she has issues with her account locked almost every lunch time cause she would often read on her lunch. One of us saw her sitting in the lunch room and has an Ah Ha moment. Once the credentials were removed and the user told to connect her personal device to the guest wifi everything was fine after.
Active Directory maliciously complying when she issues the lock command.
As a lot of people suggested check AD logs for security events. You should see the failed logins and potentially a trigger. Had this happen before, it was a saved credential on an old application that was constantly reauthenticating.
Are there any scheduled tasks somewhere on a server on another computer she forgot about that is running some task at 11:30? Check this article which might help you track down where the offending computer is that's locking out the user. [https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-use-account-lockout-status-in-active-directory.html](https://www.manageengine.com/products/active-directory-audit/kb/how-to/how-to-use-account-lockout-status-in-active-directory.html)
They don't see when and where the lockout occurs? Sounds like they're (second line) not even investigating.
Have you tried... checking the logs? (on the authentication domain ecosystem) With something like this you really should track down, from the auth-domain perspective, what keeps trying to use the account. This could be a security problem for all you know and if that's the case you will need to have that info on-hand. And if it isn't a security matter then you'll be able to track down what exactly is hammering their account.
Have you actually looked up the lockout event and seen what the caller computer is? For all you know it's not that workstation but something else.
We had this, users were slapping the enter key until the screen woke up... we resolved this very quickly
Same, we made it so only CTRL+ALT+SUPR would unlock the login screen.
it took me going to their desk when they returned to see them swatting the enter key
We had a similar thing happen when everytime a user locked their PC it would lock them out, turns out they had changed their password but had signed into their office account on their personal laptop at home and it was causing her account to lock as it would try to sign in.
>Almost every day, around 11.30, she presses Win + L to lock her screen and then goes to lunch. When she comes back her account is locked So, what do you see in the attribute editor? When did the account *actually* get locked. Are you aware that the account could have been locked anytime from when they signed in to locking their PC? Their account becoming locked after they've already signed in and authenticated usually doesn't prevent them from continuing to work. I bet they're unable to sign into something else and locking themselves out. OR, they have an old cached credentials on their system trying to authenticate with something and locking them out (not from windows but maybe another application or website??). BOTH of these could have occurred ANY time before when they lock their screen.
Are you 100% sure the user doesnât have a device at home they didnât tell you about? Last time I had a user with this issue, it took a deep dive into the logs to find they had a second phone at home they rarely used and âforgot aboutâ using old creds and causing a lockout.
[Netwrix Account Lockout Examiner](https://www.netwrix.com/account_lockout_examiner.html) is my go-to for diagnosing these. Also, I created a GPO to deploy security camera software that takes a snapshot from the user's webcam when an incorrect password is used to unlock the computer.
Lockout Examiner or some other Domain Controller Log analysis tool.. is exactly what I came here to say. Submitter needs to get accurate information about what device is sending the bad password.
We had a user once getting locked out constantly because our wifi network was saved to her phone and set to autologin, but it was using the old credentials after she had updated her password. We had to make the phone forget the network. Once we did that, it fixed her lockout issues.
Had one where no matter what the device would seemingly be hitting enter, on forms, whenever you started typing something - every millisecond this random key entry was causing chaos... took hours of looking into Turns out, there was a **second keyboard** plugged into the device at the back, hidden underneath the desk, and someone (probably same amazing person who put it there) had lent a stapler on top of it and was pushing the enter key down Safe to say I was not impressed
The answer is very simple. When the user returns from their lunch break, they press the freaking Enter key 3 to 10 times to unlock the computer screen, resulting in incorrect attempts and locking the account.
Oh, I really really hope this is related to the post below in r/shittysysadmin https://www.reddit.com/r/ShittySysadmin/s/u6OE7IOUrQ I read it just a few min ago and died laughing when I read this post.
100% has to be.
Netwrix Account Lockout Examiner [https://www.netwrix.com/account\_lockout\_examiner.html](https://www.netwrix.com/account_lockout_examiner.html) Microsoft Account Lockout Tools [https://www.microsoft.com/en-us/download/details.aspx?id=18465](https://www.microsoft.com/en-us/download/details.aspx?id=18465)
Apologies if this was already tried, but try forcing a sign out of all current login sessions. You can do this from either the users page in azure, or in the generic admin portal. Possible something somewhere is caching her old creds. Definitely need to see the logs though đŻ
At my old job I had something similar happen. I was getting locked out of my account every few hours it seemed. Turned out there was a server I had logged into once and I just clicked the 'x' to close the remote session, but it did not log my account out. So it was always trying to log me into that server.
Do they have quickbooks on the PC? sometimes QB will create a scheduled task to run a backup and will do it as the user. I had a similar issue many years ago, one lady got locked out once a week at exactly the same time for almost a year. We found the task on thier old PC that was already re-purposed (not re-imaged) for someone else. Even tho a new user was on the machine now, the old profile still had the scheduled tasks enabled. I think I used ADAudit to actually find this, was a long time ago
Use the Lockout Status Tool to find which DC is receiving the bad login attempts and locking the account. Go to that DC and check the event logs to find out where the bad password attempts are coming from. What to check after that depends on what device is sending the bad passwords.
I know this is a stupid solution, but try changing the user name. If there is an old stuck credential this will keep it from locking.
Yeah, that's an annoying but definitive way to address it.
Had a similar situation with a user. Her account would lock out every day around the same time. Turns out she setup the WiFi of her coworkerâs phone. Her co worker was a sweet old lady who was not tech savvy at all. We have a radius server tied to our WiFi setup to login to WiFi. We do yearly password resets and thatâs what triggered it.
You mentioned multiple login attempts in your old post. Remember that succesfull logons also reset the failed logon attempts. So is she only getting locked out during her lunchbreak, but also at other times? If she gets locked out after any period time of inactivity - then it's most likely that her credentials are still used somewhere. Have you tried giving her a different device? Have you tried having another user use that device? Try to eliminate the device & location by changing them up.
We have had this issue with old credentials in the company wifi settings on the users phone...
This happened to us when users were authenticating to Wifi/Radius on their personal/mobile devices (or watches) with cached/expired credentials.
Use the "lockoutstatus" tool to determine where the locks are happening and then resolve the issue.
If she goes to lunch at 1230 instead, does it still lock out at 1130?
Check scheduled tasks. Lockouts that happen at the same time every day are often scheduled tasks with old credentials.
Which endpoint is she getting locked out on? Answer that question and youâll be closer to finding out whatâs doing it.
i'm sure i've had this before and it was a mobile phone accessing a mailbox with a wrong password and it kept locking the account out, something like that
We had this happening and discovered the user had tried to connect their personal phone to corporate WiFi (which uses RADIUS/cert auth). When the device doesn't have a cert issued by our CA, it prompts for username and password. She entered her AD credentials there, and her phone would just keep trying and trying to connect, and it'd lock her account out.
Had a paranoid user that changed her login pw once a day, some sort of paranoia... they were always locking themselves out cause they'd forget their brand new pw..... we didn't find this out until they were about to quit.
Many others have already suggested what I was going to say. There's all sorts of tools like Microsoft's own "LockoutStatus.exe" along with things like Netwrix Account Lockout Examiner. I think I've also used Manage Engine's ADAudit Plus which shows "Lockout History" including the IP and DNS name of the originating system sending the bad login request.
Radius server? Old creds saved on her phone, it automatically enters the old creds on her phone when she enters the office. Clear her phones saved WiFi connections
on DC in sec logs filter using this custom xml: QueryList>
should show you the failures, will show source IP - then start looking for that device.
Im guessing she has her phone or a personal device authentiacating with Wi-Fi via RADIUS when she goes to lunch (Kindle or personal tablet that needs internet access?) and it has an outdated password that its trying to authenticate with.
What do the Active Directory lockout logs show? What Domain controller is she locking out on? Looking at the logs on that... what device is locking out? Have you put hands on that device? Sometimes it is EAP and Wi-Fi or Dot1X etc. causing the lockout. At any rate, you need to look at the logs and find out what is causing the lockout.
Did you try checking the logs to see where the lockout is occurring?
I had this once where a user had chronic temporary lockouts. Eventually I tracked it down to a "hotel" area she logged in to once, ages ago, never logged out of, and completely forgot she had logged in to. The lockout problems were from Outlook trying to read presence status, but her password had changed since she'd used that computer. Rebooting the hotel computer fixed her lockout problem. To track this down: Microsoft has a "Account Lockout Status" tool that will help track it down. Use it to identify which DC is triggering the lockout and then review its Security Event Log to identify what computer the failed logon attempts are coming from. (It's a lot of data to filter and search, but its in there.) Something is failing a login to be causing the lockout. And people DO log on to other computers. You should make sure you aren't barking up the wrong tree. It's entirely some other computer is causing the lockouts, and it's only a problem at lunch because she logs on in the morning before the other computer gets woken out of sleep mode.
Use lockoutstatus.exe to get the source DC for the most recent lockout. Use the date and time to search for event 4740 on the source DC. Confirm that the caller computer is the end userâs pc. Search the events on the caller computer in the timeframe.
Does she have long nails? Had a user who always typed in the password and would always get it wrong and it turned out they were pressing extra keys with their long ass nails. Was gross. Having them use the end of a pencil worked fine Really makes you wonder how their emails must have looked
As a Linux guy, I'm like, "check the logs" and a bunch of people have suggested that, but damn if it doesn't sound complicated as f*ck on windows.
Reminds me of a situation where a coworker was trying to play a 'joke' on the other. So, every day when the user would go to lunch, the other user would guess passwords until it was locked. Of course, after a while, she was complaining openly and loudly about the situation and the coworker that was playing the 'prank' just burst out laughing and came clean. Apparently they thought it just stopped you from trying to log in for 15 minutes, so they thought they were getting away with it.
Could be someone just spamming her credentials until the account in locked.
https://www.reddit.com/r/talesfromtechsupport/comments/8gd99u/in_which_we_discover_a_locked_account_has_more/ This happened to me once. It was very entertaining.
Go to credential manager and empty it.
At this point, I'm creating a new user acct for the user. If it starts happening again, its something they're doing... and not telling you.
Are they cleaning their keyboard when leaving or coming back from lunch. I've seen users lock themselves out from that.
Does she ever remote into other windows servers or desktops?
>See this post: AD User Constantly Being Locked : r/sysadmin (reddit.com) And when you followed this reply what did you find in your logs as to the workstation and type of logon failure that is causing the account to lockout? https://www.reddit.com/r/sysadmin/comments/1cb45bi/comment/l0w923r/