We've all seen this before: User password expires they change it and all of a sudden they keep getting the userid locked every 10 minutes.
Root Cause: There was some session out there that had been still up and active but the user had signed on before the password was changed.
I did some event log digging and found out that on the offending machine, Security Auditing jobs were kicking off every 10 minutes. These jobs would go to KERBEROS sending PRE_AUTHORIZATION packets that were coming back failed. The reason was that the userid/password being used was the old one and not the new one. KERBEROS now had the new password and after three attempts the USERID was locked out...
Question: If the RDP idle session timeout had disconnected the old session would this have stopped what was described above?
JP Cowboy Coders Unite!