Activesync account lockout issue

Similar Messages

• Account Lockout issue between Apple devices and Exchange 2003

  I have been having an ongoing issue for a couple of months with a few different users Apple devices locking out their accounts in AD when they try to authenticate to ActiveSync.  This doesn't happen every time they authenticate, it seems to be random,
  while the rest of the time they have access to their email.  It might occasionally happen with an Android, but not on a repetitive basis like this.
  Primarily this has been four different iPads, running different versions of iOS, and an iPhone running the latest release of iOS 7.  Other iPhones and iPads function without having the problem, including iPhones on iOS 7.  
  The user accounts in question are set to never have their passwords expire, but again, they aren't the only users that are set like this, and those other users, even with Apple devices are not having the same problem.
  I used NetWrix to trace out the source machine, which is my Exchange 2003 server and times, and I've checked the W3SVC1 log file, and come up with the following as an example with identification details masked:
  <internal IP>, <Domain\Username>, 4/30/2014, 8:10:04, W3SVC1, <ServerName>, <internal IP>, 15, 329, 3367926, 200, 0, GET, /exchange-oma/<[email protected]>/NON_IPM_SUBTREE/Microsoft-Server-ActiveSync/iPad/ApplV50462*****/eb53cd5d5b9fcf40****************-20ef44,
  As I was typing this, the owner of the iPad from the log file above came by my desk, so I asked a couple more questions.  He's never had another iPad, it's a gen 1, and he's never updated the iOS on it.  I know one of the other iPads in question
  has the most up to date iOS, and the other one is brand new, replacing one that was broken, but the owner of that one had the same issue on a 3 year old iOS.  
  There is nothing special about the user accounts, no special privileges or restrictions.
  Has anyone encountered this before?  Exchange 2003, Server 2003 in a 2008 domain.  Promotion to the 2008 domain was 2 years ago.

  Hi Brian,
  I am so sorry for the delay.
  Do you have any progress by now?
  Since there are lots of devices which use user accounts to log on, failed logon attempts on these devices could be the cause for account lockout.
  If this issue persists, I suggest you refer to these troubleshooting articles below:
  Troubleshooting account lockout the PSS way
  http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155(v=WS.10).aspx
  In addition, you can also get efficient support at Active Sync forum below:
  http://social.technet.microsoft.com/Forums/exchange/en-US/home?forum=exchangesvrmobilitylegacy
  Best Regards,
  Amy

• Active directory account lockout issue

  I have 1 main AD server which is on windows 2003 R2 and all users are authenticated from this server and second ADC i.e backup ADC which is on windows 2003 R2, we have 3rd ADC on windows 2008 R2 which is created for Exchange 2010 on windows
  2008R2,
  Users are getting Account lock out issue randomly.
  Can any one help on this.
   

  Hi,
  You can start with the below threads to see if you have prepared to determine lockouts sources.
  http://technet.microsoft.com/en-us/library/cc773155(v=ws.10).aspx
  http://blogs.technet.com/b/heyscriptingguy/archive/2012/12/27/use-powershell-to-find-the-location-of-a-locked-out-user.aspx
  Use Lokoutstatus from Altools (http://www.microsoft.com/en-us/download/details.aspx?id=18465) then check the source DC where lockouts are being reported. Use the event viewer on
  that DC and look for "failure audits" for that particular user acocunt or during that time frame reported on lockoutstatus. Use the event description to find the source workstations/server where the lockout is coming from and verify that server for
  any (disconnect RDP sessions, credentials manager, services running with domain accounts,applications,etc).
  Hope this helps.
  Regards,
  Calin

• Account Lockout issue

  Hi All,
  I am facing one strange issue on account lock out issue of one of the user. On domain controller logs caller computer name is showing "Domain Controller" name. While looking on event id 4625 Source Network Address is showing some other server name.
  I have checked that server user don't have rights to login on that server but whenever user account is lock out every time its showing only this server name.
  In user machine i did all troubleshooting, enable netlogon debugging on domain controller but  nothing found.
  Nirmal Singh IT Administrator

  Hi All,
  I am facing one strange issue on account lock out issue of one of the user. On domain controller logs caller computer name is showing "Domain Controller" name. While looking on event id
  4625 Source Network Address is showing some other server name.
  Not that one. 4625 says which account requested the logon. In AD, a user never request the logon, that is why you see domain controller. Go for 4740 in your PDC emulator as Aditya mentioned. I have a step by step for this in my blog:
  Am I locked out? Where? How?
  Mahdi Tehrani   |  
    |  
  www.mahditehrani.ir
  Please click on Propose As Answer or to mark this post as
  and helpful for other people.
  This posting is provided AS-IS with no warranties, and confers no rights.
  How to query members of 'Local Administrators' group in all computers?

• Random Account Lockout (How to trace source?)

  In Windows 2003 server native domain environment: XP Pro machines have no issues, but all ~10 PCs that have Win7 Pro (in different offices) have their domain accounts locked out randomly throughout the day. Workstations have no passwords listed in credentials
  management.
  Suspect it is something on the workstations that is sending incorrect logon and triggering the invalid password lockout limit on domain policy. Found MSFT tools to trace in XP, but nothing for Win7. Does anyone know how to use Procmon or similiar tool to
  trace such source on the workstations? Thank you.
  (Procmon.exe from systernals)

  Hi,
  The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
  We can run the LockoutStatus.exe on domain controller to identify and investigate the account lockout issue.
  Troubleshooting tools:
  By using this tool, we can gather and displays information about the specified user account including the domain admin's account
  from all the domain controllers in the domain. In addition, the tool displays the user's badPwdCount value on each domain controller. The domain controllers that have a badPwdCount value that reflects the bad password threshold setting for the domain are the
  domain controllers that are involved in the lockout. These domain controllers always include the PDC emulator operations master.
  You may download the tool from the link
  Download Account Lockout Status (LockoutStatus.exe)
  http://www.microsoft.com/downloads/details.aspx?familyid=D1A5ED1D-CD55-4829-A189-99515B0E90F7&displaylang=en
  Once we confirm the problematic computer, we can perform further research to locate the root cause. Actually, there are many possible
  causes for bad password, such as cached password, schedule task, mapped drives, services, etc. Please remove the previous password cache which may be used by some applications and therefore cause the account lockout problem.
  Troubleshooting steps:
  1. Click Start, click Run, type "control userpasswords2" (without the quotation marks), and then click OK.
  2. Click the Advanced tab.
  3. Click the "Manage Password" button.
  4. Check to see if these domain account's passwords are cached. If so, remove them.
  5. Check if the problem has been resolved now.
  If there is any application or service is running as the problematic user account, please disable it and then check whether the problem
  occurs.
  For your convenience, I'd like to list the common troubleshooting steps and resolutions for account lockouts as the following:
  Common Causes for Account Lockouts
  To avoid false lockouts, please check each computer on which a lockout occurred for the following behaviors:
  Programs:
  Many programs cache credentials or keep active threads that retain the credentials after a user changes their password.
  Service accounts:
  Service account passwords are cached by the service control manager on member computers that use the account as well as domain controllers.
  If you reset the password for a service account and you do not reset the password in the service control manager, account lockouts for the service account occur. This is because the computers that use this account typically retry logon authentication by using
  the previous password. To determine whether this is occurring, look for a pattern in the Netlogon log files and in the event log files on member computers. You can then configure the service control manager to use the new password and avoid future account
  lockouts.
  Bad Password Threshold is set too low:
  This is one of the most common misconfiguration issues. Many companies set the Bad Password Threshold registry value to a value lower
  than the default value of 10. If you set this value too low, false lockouts occur when programs automatically retry passwords that are not valid. Microsoft recommends that you leave this value at its default value of 10. For more information, see "Choosing
  Account Lockout Settings for Your Deployment" in this document.
  User logging on to multiple computers:
  A user may log onto multiple computers at one time. Programs that are running on those computers may access network resources with
  the user credentials of that user who is currently logged on. If the user changes their password on one of the computers, programs that are running on the other computers may continue to use the original password. Because those programs authenticate when they
  request access to network resources, the old password continues to be used and the users account becomes locked out. To ensure that this behavior does not occur, users should log off of all computers, change the password from a single location, and then log
  off and back on.
  Stored user names and passwords retain redundant credentials:
  If any of the saved credentials are the same as the logon credential, you should delete those credentials. The credentials are redundant
  because Windows tries the logon credentials when explicit credentials are not found. To delete logon credentials, use the Stored User Names and Passwords tool. For more information about Stored User Names and Passwords, see online help in Windows XP and the
  Windows Server 2003 family.
  Scheduled tasks:
  Scheduled processes may be configured to using credentials that have expired.
  Persistent drive mappings:
  Persistent drives may have been established with credentials that subsequently expired. If the user types explicit credentials when
  they try to connect to a share, the credential is not persistent unless it is explicitly saved by Stored User Names and Passwords. Every time that the user logs off the network, logs on to the network, or restarts the computer, the authentication attempt fails
  when Windows attempts to restore the connection because there are no stored credentials. To avoid this behavior, configure net use so that is does not make persistent connections. To do this, at a command prompt, please type net use /persistent:no. Alternately,
  to ensure current credentials are used for persistent drives, disconnect and reconnect the persistent drive.
  Active Directory replication:
  User properties must replicate between domain controllers to ensure that account lockout information is processed properly. You should
  verify that proper Active Directory replication is occurring.
  Disconnected Terminal Server sessions:
  Disconnected Terminal Server sessions may be running a process that accesses network resources with outdated authentication information.
  A disconnected session can have the same effect as a user with multiple interactive logons and cause account lockout by using the outdated credentials. The only difference between a disconnected session and a user who is logged onto multiple computers is that
  the source of the lockout comes from a single computer that is running Terminal Services.
  Service accounts:
  By default, most computer services are configured to start in the security context of the Local System account. However, you can
  manually configure a service to use a specific user account and password. If you configure a service to start with a specific user account and that accounts password is changed, the service logon property must be updated with the new password or that service
  may lock out the account.
  Internet Information Services:
  By default, IIS uses a token-caching mechanism that locally caches user account authentication information. If lockouts are limited to users who try to gain access
  to Exchange mailboxes through Outlook Web Access and IIS, you can resolve the lockout by resetting the IIS token cache. For more information, see "Mailbox Access via OWA Depends on IIS Token Cache" in the
  Microsoft Knowledge Base.
  MSN Messenger and Microsoft Outlook:
  If a user changes their domain password through Microsoft Outlook and the computer is running MSN Messenger, the client may become locked out. To resolve this behavior,
  see "MSN Messenger May Cause Domain Account Lockout After a Password Change" in the
  Microsoft Knowledge Base.
  For more information, please refer to the following link:
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155.aspx
  Account Passwords and Policies in Windows Server 2003
  http://technet.microsoft.com/en-us/library/cc783860.aspx
  Hope this helps!
  Novak

• Account Lockout Automatically in Windows 2008 R2 Active Directoryq

  Dear All,
  Suddenly in Windows 2008 R2 with SP1 AD Domain, Users are automatically locked out. i don't know what is the issues with Domain Controller. so we can manually unlock all the users but again within the 2 to 3 minute all users are locked out.
  we have continously received 12294 event.
  Please help me what should i do, is there any fix it for that. 
  Regards,
  Kamal Patel
  Server Admin
  Regards, Kamal Patel Windows Administartor

  Hi,
  Please run a complete virus scan on your network and monitor the result. Meanwhile, please use the
  Account Lockout and Management Tools and check if help you to solve this issue. In addition, you can refer to following articles and troubleshoot the Account lockout issue.
  Frequent
  Account lockout troubleshoot
  Troubleshooting Account Lockout
  By the way, for Event ID 12294, please refer to following article and check if can help you.
  Event ID 12294 — Account Lockout
  If any update, please feel free to let me know.
  Hope this helps.
  Best regards,
  Justin Gu
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected]

• Account lockout problems

  Hi,
  I've a curious problem with account lockouts. I've read a lot of topics and pages but I can't identify the reason for this problem.
  We have setup a new AD and moving the users step by step. It's not a migration with ADMT, we create complete new accounts, move the mailbox & user data manualy and move the workstation from the old to the new domain.
  We have moved around 100 users and with around 5 of them, I've account lockout problems. While working, the account gets lockout.
  I installed NetWrix Account Lockout Examiner and set the security settings as required. If the account gets lockout the workstation field is everytime empty. If I examine on DC or the users worksation, the result is mostly like this:
  from ::ffff:192.168.**.*** (\\DC2) at 09.01.2014 08:46.26
  fom 10.0.*.* (\\UsersWS) at 09.01.2014 08:46:26
  + from ::ffff:10.0.*.* (\\UsersWS) at 09.01.2014 08:39:26
  Reason: Unknown user name or bad password
  Logon Type: CachedInteractive
  So, the first entry seems to be a "valid" login failure, but after that, the next two are curious.
  I checked the security log on DC2 and found 2 entries for that time / user:
  Source: Microsoft Windows-Security-Auditing
  ID: 4771
  Kerberos pre-authentication failed.
  Client: UserWS
  Ticketoptions: 0x0
  Errorcode: 0x18
  Type: 2
  Source: Microsoft Windows-Security-Auditing
  ID: 4740
  A user account was lockout.
  Caller Computer Name:
  Is the problem realy UserWS? I'm not sure because caller computer name is empty. Typicaly things like password store etc. are checked.
  Could it be the exchange server? User has a smartphone syncing his mailbox. But the device does not show any error.
  After a successful login, the bad password count should be reset to 0, but it seems that it keeps 1 or 2 so that the account gets lockout after one auth failure
  I'm thanksful for any hint.

  Smartphones and similar devices are common causes for account lockouts. You need to check applications running on them that require an AD authentication and be sure that you are using the correct password.
  Paul have created a great article about how to troubleshoot account lockout issues: http://blogs.dirteam.com/blogs/paulbergson/archive/2012/04/23/user-account-lockout-troubleshooting.aspx
  This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.
  Get Active Directory User Last Logon
  Create an Active Directory test domain similar to the production one
  Management of test accounts in an Active Directory production domain - Part I
  Management of test accounts in an Active Directory production domain - Part II
  Management of test accounts in an Active Directory production domain - Part III
  Reset Active Directory user password

• Smart card and Account Lockout Policies Issue

  I have enabled "Interactive logon: Require smart" card and "Account Lockout threshold: 3 invalid logon attempts". The lockout policy works fine with normal passwords. However, when I try to use the smart card and entering wrong PIN 4
  times, the lockout policy does not work. 
  Can anyone please help with this issue?

  Hi,
  the validity of the PIN is managed by the smartcard itself, not by windows. Windows just logs in of the smartcard gives the right certificates/keys. the smartcard will only do so when it is provided a valid PIN.
  Also note an account should not be locked out to avoid brute forcing the PIN. instead, the smartcard should lock.
  http://technet.microsoft.com/en-us/library/cc962052.aspx
  http://technet.microsoft.com/en-us/library/ff404290(v=ws.10).aspx
  MCP/MCSA/MCTS/MCITP

• Event 4740 Not Logged for a Single Account Lockout

  Domain Functional Level: 2003
  PDC Emulator: 2008 R2
  Lockout Origin DC (also the RADIUS server): 2003 R2
  For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the Event 4740.  This usually tells me that our
  Cisco WLAN Controller caused the lockout.
  Our Default Domain Policy is set to audit Account Logon Events for failure, Account Management for success/failure, and Logon Events for success/failure (plus numerous other things).
  This time there is no Event 4740 for this account lockout and I can't figure out why.  The events are there for other lockouts several minutes before or after this one.  Windows just hates me so it decided to skip this one.  The main reason
  this is a problem is because I just set up Scheduled Task on the PDC Emulator, triggered by Event 4740, to run a PowerShell script that will provide the help desk with a report for each account lockout, even parsing the IIS logs on the Client Access Server
  to identify which ActiveSync device caused it.  Of course the week after I announce that, Windows decides not to log one.
  Using LockoutStatus.exe I determined that the Origin DC for the lockout was the RADIUS server.
  NetLogon debug logging is enabled on the RADIUS server, however I took a nap today after being let out of work early for the holiday so by the time I checked the netlogon.bak file it had already been overwritten with newer data.
  There was, however, an Event 644 locked on the RADIUS server (pasted below with domain/computer/user details edited for privacy).  I don't even know where to start as far as trying to prevent this from happening again.  Anyone have any suggestions?
   Within the next couple months I will spin up a 2012 RADIUS server and a separate 2008 R2 DC to replace the 2003 multipurpose server, but it's not high on my boss's priority list so it's a tough sell considering the WLAN is functional right now.
  Event Type: Success Audit
  Event Source: Security
  Event Category: Account Management 
  Event ID: 644
  Date: 12/31/2014
  Time: 10:00:35 AM
  User: NT AUTHORITY\SYSTEM
  Computer: DomainControllerAndRadiusServer
  Description:
  User Account Locked Out:
  Target Account Name:
  LockedOutUser
  Target Account ID:
  DOMAIN\LockedOutUser
  Caller Machine Name:
  CISCO
  Caller User Name:
  DomainControllerAndRadiusServer$
  Caller Domain:
  DOMAIN
  Caller Logon ID:
  (0x0,0x3E7)
  For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the
  Event 4740.  This usually tells me that our Cisco WLAN Controller caused the lockout.
  For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the
  Event 4740.  This usually tells me that our Cisco WLAN Controller caused the lockout.
  For quite a while now I have been relying on Event 4740 on the PDC Emulator to track account lockouts.  Usually when the RADIUS server causes an account lockout, the Caller Computer Name is blank in the
  Event 4740.  This usually tells me that our Cisco WLAN Controller caused the lockout.

  Hi,
  I suggest you use Auditpol command to check the current auditing status on Domain Controller.
  You can type this command below:
  Auditpol /get /Category:Logon/Logoff
  If the Account Lockout subcategory is set to no auditing, please use /set option to enable auditing:
  Auditpol /set /Subcategory:”Account Lockout” /Success:enable /Failure:enable
  More information for you:
  Auditpol
  http://technet.microsoft.com/en-us/library/cc731451.aspx
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• Blackberry Hub slow when switching from any account to an Exchange Activesync account

  I'm experiencing a very slow hub when switching from any account (facebook, LinkedIn, Whatsapp, Gmail, etc...) TO my work email using Exchange Activesync. When switching back from Exchange Activesync TO any other account the issue is noy there. It basically takes a couple of minutes to enter the Exchange Activesync acocunt, and looking at the Device Monitor, CPU section, seems like the Hub process is constantly at 50% CPU usage during this time. This is really causing me lots of issues, as of course I switch between accounts quite frequently. Any suggestions are welcome. Thanks for the support!

  I'm having the same issue.  What can be causing it.
  It was fine using a Z30 until 10.3.1.1865 was recently updated.
  Switching between all other accounts is fine just when going to my exchange account (or the main hub view)

• Intermittent iphone activesync calendar/mail issues

  We are experiencing intermittent activesync calendar/email issues that are causing many of our iPhone users to miss meetings and have major trouble scheduling events from the iPhone. The main problem is that most of the time everything works perfectly until suddenly you realize that you missed a meeting or that your email is suddenly out of sync and you have no idea how long it has be like that.
  I have found several band aid "solutions" to temporarily resolve the issues:
  http://blog.fosketts.net/2008/07/10/how-to-set-up-iphone-exchange-activesync/
  http://blog.hltechsolutions.com/2008/07/iphone-activesync-calendar_24.html
  We are using iPhone Firmware 3.0 and higher on all iPhones on a Exch 2007 server
  We need a really solution for this ASAP

  I am on version 3.1.2 and am having many problems with ActiveSync. It often says connection to server cannot be established and prompts me for my password multiple times a day. I have checked with other iPhone users in the organization and many do not have problems. I have tried changing my password, deleting the ActiveSync profile and recreating, and restoring the iPhone. I am getting quite frustrated as are my IT peers as they have to unlock my Windows account every few hours. I need help please!
  This behavior seems to have started when I upgraded to 3.1.2. Before that I never had any problems.

• Account lockout message to user is NOT displayed when going thru RD Gateway

  We recently introduced account lockouts after 5 failed attempts for 30 minutes. Our users RDP to our server  thru TS Gateway before getting to the server. IIS7 configured to work with TS Gateway .
  The problem is that when an account get locked because of 5 times invalid password, they do not receive the usual Account lockout error message to contact the admin to unlock it. Instead, it keeps asking for the username and password indefinitely. In other
  words, the user have no way of knowing that his/her account is locked.
  I noticed that within our LAN, when I RDP to the server directly (without going thru the TS Gateway), the message of account lockout appears normally and It says that you need to contact the admin to unlock the account.
  This problem occurs only when going thru the gateway. Is there a way how to enable the error message to appear when the account is locked?

  A) are these methods copied twice in the code here on purpose?
     connectChat() and onSynchronizationChange is repeated in code due copy paste mistake
  B) are both users subscribing to _collectionNode right away? Do each of them
  get to onSynchronizationChange?
     Yes , each of them get to onSynchronizationChange
  C) If you put a breakpoint in onSynchronizationChange, do you see the node
  get created? Do you see it in the dev console?
  Yes , it is creating a node
  D) Is user B receiving an onItemReceive at all? Is user A?
  Yes , it is creating a node
  Now both the user getting chat message, have following issue
  When user A initiate the chat with user B this action is not opening chat pod / window on user B end which shows user A has initiated chat with user B
  But when user B click on user A name to initiate the chat, this action opens a chat window and user B can see message send by user A
  Above scenario is not normal chat behavior in which other user gets the notification of chat . what could be the problem

• Account lockout information

  Hi,
  I'm trying to find out information on account lockouts on UAG.  We can see a user been locked out when they come in via our UAG's however we have no idea what exactly is locking out the account.  The error in the Security log on the UAG servers
  is generic without much information.  We publish Outlook Anywhere, OWA and ActiveSync via UAG and I cannot determine which of these is locking the specific user out.  Is there way to determine this?
  Thanks,

  You need to enable auditing for your domain controllers and servers. It's done using group policies:
  Auditing for Domain Controllers:
  1. Navigate to Start > Programs > Administrative Tools > Group Policy
  Management.
  2. In the Group Policy Management console, expand the Forest:
  <domain_name> > Domains > <your_domain_name> > Domain Controllers node
  3. Right-click Default Domain Controllers Policy and select Edit from the popup
  menu.
  4. In the Group Policy Object Editor, under Computer Configuration, expand the
  Windows Settings > Security Settings > Local Policies node and select Audit Policy node
  5. Set the Audit Account Management parameter to ‘Success’, and Audit Logon
  Events and Audit Account Logon Events to ‘Failure’.
  Auditing for Domain:
  1. Navigate to Start > Programs > Administrative Tools > Group Policy
  Management.
  2. In the Group Policy Management console, expand the Forest: <domain_name> > Domains > <your_domain_name> node
  3. Right-click the Default Domain Policy node and select Edit from the popup
  menu.
  4. In the Group Policy Object Editor, under Computer Configuration, expand the Windows Settings > Security Settings > Local Policy node and select the
  Audit Policy node
  5. Set the Audit logon events parameter to Failure.
  Then check for events with id 4740 in the Security logs. Additionally you may use
  Microsoft Account Lockout Tools or our free tool
  Netwrix Account Lockout Examiner
  --- Jeff (Netwrix)

• Account Lockout repeatedly, even though lockout policy is disabled

  I have a remote user who's domain account keeps getting locked out, and I'm completely stumped. Due to the lockout issues, we have disabled the domain lockout policy, and use the soft lockout function available in forefront TMG. This is working for everyone
  but the 1 user.
  On the DC that is locking the account, I see the event ID 4740 in the security logs. What makes ZERO sense is the Caller Compuer shows has her workstation. Her workstation is a surface pro, which is not on a VPN. So it has no connection to the domain controller.
  When users that are connecting through TMG were getting locked out, the Caller Computer showed as the TMG machine.
  I have gone through and cleared any saved credentials from the Credential manager on the workstation, yet the account is still getting locked out.
  So why is this account getting locked out even though the lockout policy is disabled. And how is it showing the users workstation as the caller computer, when it has no direct connection to any domain controllers?

  Try looking at the local policy on the Surface Pro machine.  It sounds like the policy is being applied from the local machine itself.
  http://www.sevenforums.com/tutorials/3652-local-group-policy-editor-open.html
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.
  This could be the issue, as the machine is remote and hasn't updated the GPO with a DC since before it was disabled. I thought the DC is what disabled the account, and stopped authenticating the user. So even if the GPO existed on the client machine, it
  still wouldn't be disabled.
  But how is it even getting to the DC that the account is disabled? The DCs have no access to the internet, and the client has no VPN to the DC.
  Local policy can have lockout set which could have come from the domain policy.
  Paul Bergson
  MVP - Directory Services
  MCITP: Enterprise Administrator
  MCTS, MCT, MCSE, MCSA, Security, BS CSci
  2012, 2008, Vista, 2003, 2000 (Early Achiever), NT4
  Twitter @pbbergs http://blogs.dirteam.com/blogs/paulbergson
  Please no e-mails, any questions should be posted in the NewsGroup.
  This posting is provided AS IS with no warranties, and confers no rights.

• Account Lockout source process / application

  Hello There,
  I am using "Account Lockout Status" and also "Netwrix Account Lockout Examiner" which is really helpful.
  I have a situation one of the user account is getting locked out everyday i tried to trace the source but in all the cases it shows
  the source as TMG (which is the gateway for email & lync access) through internet.
  I am suspecting the account lockout source is the user's machine but i want to see which process is triggering this.
  How can i check the process name which is causing account lockout on the source machine itself?
  please suggest.
  Regards,
  Maqsood
  Maqsood Mohammed Senior Systems Engineer MCITP-Enterprise Admin & ITILv3 Foundation Certified

  1.    Run this command:
  rundll32 keymgr.dll,KRShowKeyMgr
  2. Backup the stored credentials using the Backup button. Then, remove them.
  If the problem continues, we need to enable audit policies and analyze event log to troubleshoot this problem. For more information,
  please refer to:
  Troubleshooting Account Lockout
  http://technet.microsoft.com/en-us/library/cc773155(WS.10).aspx
  Account Lockout and Management Tools
  http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=18465
  Hope below link helps.
  http://social.technet.microsoft.com/Forums/windowsserver/en-US/8c0e9442-6df6-43b0-8b50-bd44f53dfdea/my-account-is-getting-locked-out?forum=winserversecurity
  Regards,
  Manjunath Sullad