A local windows user account kept triggering the lockout of a user’s AD account. Obviously a cached credential of some sort but after going through the usual measures of deleting cached passwords the user was still getting instantly locked out when logging in as the local user.
I queried the locked out username in the event logs using the following:
$search = "ADusername"
Get-EventLog -LogName system -after (Get-Date).AddDays(-1) | Where-Object { $_.Category.ToLower().Contains($search.ToLower()) -or $_.Message.ToLower().Contains($search.ToLower()) -or $_.Source.ToLower().Contains($search.ToLower())} | Format-Table -AutoSize -Wrapand the output indicated “The password stored in Credential Manager is invalid”. I double checked the credential manager to ensure any related entries were deleted. Nothing in there. Maybe the SYSTEM account?
Using PsxEc I was able to get into the SYSTEM account (For those using SCCM I highly recommend installing the free Right Click Tools. Setup PsExec on the server and within two clicks you will be on the remote computer as SYSTEM)
cmdkey /list will display any stored credentials under the SYSTEM account
To delete the stored credential simply use cmdkey /delete Domain:target=user.AD
and no more lockouts!
Leave a Reply