LDAP Account Locked Out Sporadically after Password change - Finding the source of invalid attempts
- by CityView
On a small network of machines (<1000) we have a user whose account is being locked out after an indeterminate interval following a password change.
We are having severe difficulties finding the source of the invalid logon attempts and I would appreciate it greatly if some of you could go through your thought process and the checks you would perform in order to fix the problem.
All I know for sure is that the account is locked out several (5+) times a day, I can't even be sure it's due to failed login attempts as there is no record of failure until the account is locked.
So far I have tried;
Logging the account out of everything we can think of and back in with the new password
Scanning the user's box for any non standard software which might perform an LDAP lookup
Checking all installed services on our production boxes to check none are attempting to run under the account
Changing the user back to their old password (Problem persists so perhaps password change is a red herring)
Wireshark on a box where lots of LDAP authentication is performed - Rejects only occur after account is already locked out
Clearing the credential cache in - Control Panel - User Accounts - Advanced
Looking at the local
I'm at a loss for what to try. I am happy to try any suggestions you have in order to diagnose the issue. I think my question boils down to a simple request;
I need a technique for deriving the source (Application/Host) of the invalid login attempts which are causing the account to be locked.
I'm not sure if that's even possible but I suspect there must be more I can try.
Many thanks,
CityView
