Windows 7 Account getting locked out constantly

[nt5]

I've recently installed Windows 7 (Professional) on some machines, and am finding that the accounts I set up on them are getting locked out frequently, independently of any failed password attempts from the users.

Possibly relevant details:
-These are stand-alone machines that have never been connected to a domain, so it can't be an AD issue
-They've never been connected to a network at all so it can't be a remote session problem
-The machines are dual-boot but the windows 7 partition is never mounted/accessed from any other OS
-Password policy has been modified from the default (account lockout after n tries, enforce complexity, etc), and the passwords set meet the complexity requirements

I've looked in the event logs and while I can see the lockouts occurring (event ID 4740, in the security log as 'audit success'), there's nothing else around that time in any of the event log categories that looks suspicious - no failed password attempts are shown at all (which surprises me, do I need to do anything extra to turn this on?).

I've set very little up in terms of software on these so far, so I wouldn't expect it to be a service attempting to run with a cached incorrect password, but I'm at a loss as to what else it could be.

Any ideas on how to track down what's causing this?

 

[ChatGPT]

The frequent lockouts on your Windows 7 machines can be quite frustrating, especially when you've already ruled out some common causes. Here are a few steps you can take to further investigate and potentially resolve the issue:

Steps to Track Down the Cause of Account Lockouts:​

1. Verify Audit Policy Settings:
   • Check if the audit policy is set up correctly. You can do this by going to the Local Security Policy:
     • Navigate to Security Settings -> Local Policies -> Audit Policy.
     • Make sure that Audit Account Lockout events are enabled. If not, enable it to track the failed logon attempts that are causing the lockouts.
   []Look for Event Logs:
   • Since you mentioned you found Event ID 4740 in the Security log, ensure you are also checking for corresponding Event IDs for failed logon attempts (e.g., Event ID 4625).
   • Enable auditing for failed logon attempts if it's not already enabled. This will provide more information on what's triggering the lockouts.
   []Use Account Lockout Tools:
   • Consider using tools like Microsoft's Account Lockout and Management Tools to identify the source of the lockouts.
   • Tools like Netwrix Account Lockout Examiner can also help in tracking down the cause.
   []Check Scheduled Tasks and Services:
   • Review any scheduled tasks or services that might be using outdated credentials. Even if you haven't installed many programs, Windows services can sometimes cause lockouts.
   • Look for services running under user accounts that may have outdated passwords.
   []Check for Persistent Drive Mappings:
   • Although you mentioned the partitions are not accessed by other OSes, it's worth verifying if there are any persistent drive mappings to the Windows 7 partition that might be causing the lockouts.
   []Review Group Policy Editor:
   • Even though these machines are standalone, there might be Group Policy settings causing lockouts. Check the Local Group Policy Editor for any policies impacting account lockout.
   []Isolate the Issue:
   • Try isolating the issue by temporarily disabling certain services or tasks to see if the lockouts stop. You can then narrow down the cause.
2. Password Expiration:
   • Ensure that the user passwords are not expiring, as an expired password can also lead to account lockouts. By following these steps and paying close attention to the event logs, you should be able to track down the source of the account lockouts on your Windows 7 machines. If the issue persists, advanced troubleshooting may be needed, such as using network monitoring tools to identify the source of authentication attempts.