Troubleshoot: User Lockouts on Windows Devices Overview

Even when a user enters the correct credentials, there are many reasons an account may be locked out. Eventually any event with "Login Failure" can lead to an account lockout problem. The information in this article is meant to help you troubleshoot user account lockouts on JumpCloud-managed devices. Make sure you’re aware of any compliance or regulatory guidelines pertinent to your organization. 

Considerations

• Lockouts affect organizations that enforce account lockouts after N failed attempts – see Manage Password and Security Settings for more information.
• To clear the lockout counter on a device, a successful login is required on that device.
• The lockout reset counter is not cleared across all devices that a user is bound to after a successful login on a single device.
• Users bound to multiple devices may still have recorded failed login attempts on other bound devices. 
• JumpCloud tallies failed login attempts from devices and the user portal. 
• Windows UAC generates two failed login events when elevating user privileges, such as runas functionality, that count against total failed login attempts.

Known Causes of Device Lockouts on Windows-based Devices

• Cached credentials stored in Windows Credential Manager (WCM) and web browsers.
• Remote Desktop connections with saved but invalid credentials.
• Network drive connections with saved but invalid credentials.
• Printer connections with saved but invalid credentials.
• Saved Scheduled Task Manager Tasks.
• Automation testing tools such as Selenium trigger the Chromium defect for every test session initiated, resulting in immediate lockout behavior being triggered.

Recommendations for Lockout Prevention

1. Run automated testing tools on a virtual machine or physical devices that are not managed by JumpCloud.
2. Bind users to the minimum number of devices whenever possible. Be aware that Scheduled Tasks that run under the user account can be a source of failed authentication requests.
3. RDP users should end their session by logging out of the remote system, rather than simply closing the RDP client, or selecting Disconnect from the power options on the remote device.
4. Be aware of software packages in your environment that may run as a service under the device user account or add credentials to WCM.
5. If possible, utilize the “Unlock account after 10 minutes” in JumpCloud. This will help reduce the amount of time for the user to regain access – see Manage Password and Security Settings for more information.

Immediate Corrective Actions 

User Unlock

While prevention of recurring lockouts is important, administrators will usually want to immediately to restore access to an end-user.

End User Recovery Option  

The JumpCloud user needs to change their password through the User Portal password reset workflow using alternate network-connected devices (such as a smartphone or tablet) to restore access to the end user account, user portal, and device.

JumpCloud Admin Recovery

A JumpCloud Administrator will need to unlock the user account from the JumpCloud Admin Portal, which will preserve the current end-user credential. 

Cached Credentials

This is only a temporary solution, as lockouts will recur as passwords are re-added to the cache.

• To check for cached credentials in WCM:
  1. On the impacted device, launch the Run prompt: Press Windows Key + R.
  2. Insert and run: rundll32.exe keymgr.dll,KRShowKeyMgr.
• To clear cached credentials in WCM:
  1. Click Start > Control Panel > User Accounts > Credential Manager.
  2. Select the Windows Credentials option.
  3. Then click Remove from Vault (depending on which version of Windows you are running).
• Clear cached credentials in the user’s browser(s).