I am an end-user, not an IT professional. Unfortunately my corporate resources cannot solve this problem. I am looking for some advice to give them.
I've been account locked on our corporate network an average of 2-3 times a day over the past four months. I've gone days without problems and been locked out 7 times in a single day. In the preceding 8 years I'd been locked out twice.
Each lockout requires a call to our corporate help desk to get my account unlocked. The lockouts occur because our security system "thinks" I'm trying to authenticate repeatedly with invalid credentials (wrong password).
The full details of the extremely tedious debugging process to date are in a blog post of mine: http://tech.kateva.org/2009/05/debugging-network-account-lockouts.html.
About a week ago I hacked away at Outlook 2007 and my lockouts went away. The cost was that I had to manually authenticate (domain/usermane and password) the first time each "day" that my Outlook client connected to Exchange server. Annoying, but I could live with that.
Since I began this process my laptop has been refreshed. I have new hardware with a pristine corporate standard disk image and I'm back to Outlook 2003. I'm also back to being locked out!
So I don't think the problem is on my laptop.
On further investigation I discovered that if I sent Outlook 2003 to always request credentials that I was NOT locked out.
So I need to understand how the authentication process differs when I
a. Outlook connects to Exchange and automatically authenticates (standard behavior) using the credentials associated with my user account (NTLM network domain/un and pw).
b. Outlook connects to Exchange and I have to manually enter my network un and pw.
Somehow 'b' works correctly. I think, however, that with process 'a' Exchange Server (our Outlook?) is sending the wrong credentials to Active Directory causing me to be locked out.
I suspect a misconfiguration of my Active Directory account and/or my Exchange Server mailbox.
I need to provide our help desk and security desk with a good list of things they can investigate on Active Directory or Exchange Server. If I cannot do this I will need to get a new Corporate ID and give up on my existing user ID.
I think if I can point them in the right direction, and give them pretty precise guidance, that they can fix this problem.
Any advice would be of help. I may simply have to research how NTLM (AD) authentication works with Exchange Server requests.
Best Answer
We had issues with account lockouts in a large org I worked for in the past.
What I did (as a member of the IT org) was to build a script which sat on the PDC (now PDC emulator). Whenever an account is locked out, this domain controller registers an Event ID # 644 (4740 on Windows Server 2008) in the Security log. The event also includes the name of the client machine which attempted the last logon with improper password. So my script polled the Security Log every 5 minutes and posted this data to a web page which was accessible to the Help Desk.
Once we had this, it was a trivial matter to change Help Desk's workflow to check that page whenever they got an account lockout issue, then help the user discover what it was on that machine which had caused the lockout. As you note in your blog article, the culprit is usually some second machine where the user had forgotten that they were logged on when they changed their password from their primary machine. Usually that second machine would be running Outlook, or have a drive mapped via the user's (now out of date) credentials.
And when Help Desk had lulls in their day, they could proactively check this web page and resolve issues for people who didn't yet know they'd been victims of account lockout.
If there is interest in this script, I could dig it out, dust it off, and post it here.