AD Account being locked out on reboot

Good day,

I have a domain user that is having his account get locked out when a workstation reboots, and only when it reboots.

I have identified what workstation is causing it, but cannot find anything on the computer that is using his account. I have checked the services and any mapped drives and nothing. I have read through the event log and I can't seem to find anything there either.

There is nothing in the credential manager and he hasn't installed any applications on this particular computer either.

Any suggestions?
Thanks

I've read through that and still not able to pinpoint the cause. It is now happening with a couple of machines on our domain. I have looked through the event logs, mapped drives, services, scheduled tasks and nothing under his account. I removed his profile and cleaned out the registry and still happens. I tried Netwrix Account Lockout Analyzer and found nothing on the machines causing it.

I'm at a loss. It's only happening on boot as well, logon/logoff all you want and its fine. Reboot, locked as soon as Windows starts up.

The only thing I know to do right now is see if Wireshark can tell me anything, just need to find a way to get it to load first.

smanuel said:

It is now happening with a couple of machines on our domain.

Yeah, I was contemplating whether to ask.

These symptoms would tend to align with the behaviour of network-aware viruses. Remember the Conflicker worm in 2008? It would permeate through a network by attempting to guess accounts’ passwords. Users would boot their machines to find they were locked out.

A very loose test to see if this is case would be to create a new user on the network and give it an easy to guess password, e.g., let its password match its username. If this user account experiences no problems, indeed raise your suspicion of malware.

This is just a suggestion though, could not be the case.

I’m sure somebody more capable with malware removal can find evidence of malware lurking here.