This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(265.6, 0%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENL%3C/text%3E%3C/svg%3E)
In my enterprise, a single user logs-in multiple systems ( for example , keep it a count as 5 ). After the password expiry, the user changes the password with the help of IT team and logs-in in one system.
After this incident, the remaining 4 systems which the user previously logged-in trigger a bad password attempts continuously , like where 5 -10 bad password attempts for each second.
I can't figure out what is the problem ? How the systems automatically trigger a login attempt ? What should I do to stop such incidents ?
It looks like the user has a previous session still active or a network share or something else that is still using the old password. Have a look at this article it might help you find where the old credentials are still being used. https://nettools.net/troubleshoot-account-lockouts/
Gary.
Hi @GaryReynolds-8098
The main problem is, though there are multiple login attempts is triggered from multiple systems, the user account is not locked out. It might be due to the new lockout policy that doesn't consider n-1 , n-2 passwords to increment the bad password threshold count.
The login attempt is automatically triggered from multiple systems though the user account is not currently logged-in the system but the user profile is present.
I'm assuming that the user is logging into windows workstations or servers that are joined to an AD. The reason I ask is that by default AD will only accept the current password, it doesn't accept n-1, or n-2 passwords. This functionality only exists for computer accounts and is limited to n and n-1 passwords. Unless you have additional services installed on the DCs to support this functionality. Can you share the details of you new lockout policy.
Are there multiple accounts that are showing this problem or just this one?
The presents of a user profle on a machine will not cause a logon event, this will only happen if the user has started an RDP session and disconnected the session or left a machine logged on. Typically in this scenario the logon event happens as the session tries to access resources that were opened while the user was using the session, or mapped drives opened with credentials.
You can use NetTools to identify which systems are causing the logon and see if there are any sessions still running for the user.
Gary.
GAry.
Hi @GaryReynolds-8098
Here DC uses Kerberos to authenticate the users.
This problem exists with multiple users and all the scenarios are same.
Let me try with NetTools and let you know what's the status is .
Hi @GaryReynolds-8098
Can you tell me how to find any sessions that are running for the particular user in NetTools
Hi,
If you follow the article it will show you which machines the accounts are getting locked out from, then you can check that machine for a open session. It doesn't provide the ability to scan machines to find active sessions.
Gary.