Win2k3 + WinXPsp2 Lockout prob

[prince_vegeta]

OK, we have 3 servers, all win2k3, and about 120 workstations almost all with winxpsp2. My prob IS there is ONE user that almost every morning their account gets locked out with first log on. 1.. out of 120.. Have NEVER had this problem before, and can't seem to find a solution.
I have tried deleting the user account and recreating it. That didn't work, he has tried different workstations with the same outcome. After first login attempt he has to wait 10mins before his account is unlocked, or I unlock it. Even if his first attempt is the correct user/pass.
All servers are up-to-date with patches, along with his PC. We only have the primary DC, we had a secondary and have got rid of it last week, and still have the problem.
Any suggestions or SOLUTION would be greatly appreciated.
BTW nothing comes up in the security log on the DC saying that his failure attempts were logged.
thanks
Mick

 

[fattony]

lol wicked!

that's really something...you sure you have full security auditing enabled on that DC? what if you disable his credential caching somehow

i know you've removed his user object, but can you also wipe out all his profiles accross the network so they get recreated?

if you give him a completely different username and make sure it gets a new SID? how do we know he doesn't have something like a scheduled task running with his account every night which doesn't have the correct username/password information failing to authenticate against the DC, so when he gets there in the morning the account is already locked?

i mean if you check in the morning before he gets it, does AD show that he's already locked up?

those are the only logical things i can think of that would make sense, but maybe someone's just messing around with him, trying to log him in on purpose so he'd lock up...office pranks ya know, i'd definately check out the security auditing policies on there, wouldn't wonna miss that failed attempt

oh oh, and it could be a service somewhere running with his credentials, more important reason why you should try giving him a new account, also make sure he's not messing up his exchange login (if you have one) or any other IIS or FTP authentications, sharepoint...whatever

 

[prince_vegeta]

thanks lad,
the thing is, he isn't locked out till his first login attempt good or bad. because after that it takes 10mins before his account is unlocked, and it isn't like hes getting in on the first attempt, then getting kicked out because something is trying to use something with bad credentials. thats whats throwing me. :?
but ill check his scheduled tasks! 8O didn't think of that, checked all start up shite.
hahah would love to be here when he logs on, but its normally around 4:30 - 5am.. im out on a mine site, and come for our weekly visit 2 days aweek, today (wed) and tomorrow.
but the new user account sounds like a smashing idea.
the one thing i have found on the net is that there can be probs between primary DC and secondary DC not sending the rite info in regards to user logon attempts. so we have just removed the secondary DC as one of our remote sites has been changed. so going to see how that goes tonite/tomorrrow, and yeah if that doesn't work, which im not too hopeful about, ill give the brand spankin new user account ago.
wish me luckkkkkk