User is always locked out in Active Directory, based on the investigation a polling engine is the source for the lockout

oluap

a user is always reporting that one of the polling engine was causing his Active Directory account to locked out. upon checking on the server there was no created profile under his account.HOw can i resolve the lock out

ronan.tonilon

Hi @oluap ,

The Active Directory account lockout is most likely caused by an outdated or misconfigured credential being used silently by a polling engine. Use SWQL, services/task checks, and credential management to trace and remove any use of that AD account. Enable AD auditing if needed for deep trace.

Cause Possibilities:

1. Credential used in Scheduled Tasks, Services, or Scripts on the polling engine

2. Old WMI/Windows credentials saved in:

   • Application Monitor templates (SAM)

   • Scheduled discoveries

   • Device connection profiles (NCM)

3. Agent-based monitoring trying to authenticate using wrong credentials

4. Orion Platform Credential Store (shared credentials) referencing the user's AD account

What to do:

1. Check for Credential Usage in SolarWinds:
   • Run this SWQL query to find where the user’s account is being used:

     SELECT CredentialID, Name, CredentialOwner, CredentialType 
     FROM Orion.Credential
     WHERE Name LIKE '%username%' OR CredentialOwner LIKE '%username%'

     Replace %username% with the AD account with the problem.
   • Then check where that CredentialID is being referenced:

     • In SAM Application Templates

     • In Discovery Profiles (Settings → Network Discovery → Manage Discoveries)

     • In NCM Connection Profiles

2.  Check the Polling Engine's Windows Services & Scheduled Tasks.
   • On the polling engine causing the lockout:
     • Run services.msc and check if any service (especially SolarWinds Collector, Agent, or custom scripts) is running under that user’s AD account.
     • Open Task Scheduler and check if any task is set to run under the user’s AD account.
   •  Look for:

     • Scripts

     • Custom pollers
     • Agent push jobs
3. Agent Configuration (if used)
   • If SolarWinds Agent is deployed:
     • Check if the agent on the node is configured to use Windows credentials
     • Use the Agent Management page in the console to review credentials
4. Enable AD Account Lockout Auditing (Optional)
   • If the above steps are inconclusive, enable account lockout auditing on your Domain Controllers:
     • Group Policy: Computer Configuration → Windows Settings → Security Settings → Advanced Audit Policy → Logon/Logoff → Audit Account Lockout
   • Then:
     • Use Event Viewer → Security Log on the DC.
     • Look for Event ID 4625 (logon failure) or 4740 (account locked).
     • This will help pinpoint the machine and process name causing the lockout.

Hope this helps.