Some possibilities here are the users are logged on to another machine on
the network with an old password, they have a drive mapped using an old
password, they have an application running that has an old password cached,
or they have a service that is starting with their user account using the
old password.
One program that may be helpful here is psloggedon from
www.sysinternals.com. You can run this against a user account and it will
return a list of all computers that the user is logged on to locally or over
the network (if you have a large network, it could take a while to run
this).
Also, check the services console to see if any services are starting with
their user account.
Also, remove all programs from the startup menu and the Run key in the
registry and see if you still have the problem.
If none of this helps, enable auditing on the domain controllers for the
following events:
a) Account Logon Events - Failure
b) Account Management - Success
c) Logon Events - Failure
Then, after an account gets locked out, look for events 675, 644, or 529 in
the security logs of the domain controllers to see where the bad password
attempts are coming from (if it gives the IP address of another DC, check
the security log on that DC for the same event and it should show the
machine name or ip address of where the bad logon attempt came from).
--
Jimmy Harper [MSFT]
Directory Services
This posting is provided "AS IS" with no warranties, and confers no rights
Janne said:
Hi!
This kind of problem usally occur when users have been using different
machines. The cause of this could be drive mappings, scheduled jobs,
services etc on other machines. You have to make sure that the users who has
these problems change the password on every place their user account is
used.
