I encountered and resolved a very strange issue tonight, regarding a locked out account.
Using group policy, I have a bunch of deployment scripts that run at Shutdown. For a select group of computers, these scripts didn’t appear to be running.
My first thought was that the computer account was disconnected from the domain, but all indications appeared that this was not the issue.
I was able to connect to a problem computer with PSexec, and did so with the -S switch as our shutdown scripts run as the SYSTEM account (or NETWORK SERVICE when accessing the file server).
When I ran the command in my script manually, I received this error:
Logon Failure: Account Currently Disabled
This was really strange; everything about the accounts in use were active, and definitely not locked out.
When I modified the command to not use network resources, it succeeded. I looked into the Security event log, and noticed an event saying “A logon was attempted using explicit credentials.”
In this event, it also referenced an old account name and computer name from a legacy Active Directory domain, which was previously migrated from.
This triggered a realization, and my next place to look was the Credential Manager.
Sure enough, I ran the following command on the remote computer:
cmdkey /list
and saw an entry for my DFS path (Target: domain.ca) with credentials referencing the original non-migrated computer name and account which no longer exists! Somehow this must have stuck around for quite some time.
I ran a delete command for that credential:
cmdkey /delete:domain.ca
And now it’s working properly! Next step, stick this command into Group Policy so that it fixes any other machines having the problem.