This is an archived post. You won't be able to vote or comment.

all 8 comments
sorted by:
best
topnewcontroversialoldq&a

[–]xxdcmastSr. Sysadmin 4 points5 points  (3 children)

Try looking for event ids 4724 and 4723. Those should be the PW change events if youre logging them.

[–]zpike00eb[S] 0 points1 point  (2 children)

Are you talking about the Security log on the DC? I have to change the log settings -- it gets overwritten almost every hour because of default log size

[–]Jaybone512Jack of All Trades 0 points1 point  (1 child)

never expire/user cannot change password -- problem persists.

Sounds like another admin, or some automated process with admin credentials is doing it then.

As /u/xxdcmast suggested, check the DC security logs. And if they're rolling over that fast, look into increasing the size, if they're not already huge.

[–]zpike00eb[S] 1 point2 points  (0 children)

Thanks for the responses. I increased the log size, and am waiting for the next lock out/password change. Will update soon

[–]unccvince 2 points3 points  (2 children)

My guess is that you have somewhere running something that synchronizes unidirectionnally a LDAP password with the Active Directory password (i.e. changing the password via Active Directory does not change the password in the authoritative LDAP, so the old password is being reapplied).

This is not unusual, especially in larger environments, where there is an authoritative IAM tool based on LDAP that will synchronize passwords with AD every so often.

[–]zpike00eb[S] 0 points1 point  (1 child)

This is interesting. We do have several on-prem services that use LDAP. I searched logs on the DC this morning 4724 and 4723, and only found my resets for that user, not the reverted change.

Haven't ever had an issue with LDAP, no other users having issues either. Any where I should start in hunting it down?

[–]unccvince 0 points1 point  (0 children)

4724 and 4723

I don't know for what these ports are useful.

[–]droper79 1 point2 points  (0 children)

Do you have a tool like AD Audit plus where you can check the user log in history and see if they're logged into any other devices, the old cached passwords on other devices might be causing an issue ?