Community Pick: Many members of our community have endorsed this article.

Active Directory Locked Account Investigation Process

Shaun VermaakCOG Lead Engineer
CERTIFIED EXPERT
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.
Published:
Updated:
This article outlines the process to identify and resolve account lockout in an Active Directory environment.

Process

Process1.png 

1) Change lockout policy according to Microsoft Recommendation


The lockout policy's ultimate goal is to protect against automated password guessing (brute-force attack) and as such, the value should be high enough so that accounts are not accidentally locked out by an end user or incorrect saved password.


As per the following articles, I would recommend the following lockout settings


  • Account lockout threshold 50
  • Reset account lockout counter after 10 minutes

 

https://technet.microsoft.com/en-us/library/cc671957(v=ws.10).aspx

https://technet.microsoft.com/en-us/library/hh994574(v=ws.11).aspx


Lockout-Policy.png


2) Enabling Auditing


Identifying the source of the account lockouts in a complex environment will be virtually impossible without auditing enabled.


Please note: Only events that occurred after enabling auditing will be logged. It also might be necessary to increase Security log file size



In addition to the above, the following might provide some extra clues to the source of the lockout. After setting these values, additional logs can be found in Event Viewer, Applications and Services Log/Microsoft/Windows/NTLM


Path: Computer Configuration\Windows Settings\Local Policies\Security Options
Setting: Network Security: Restrict NTLM: Audit Incoming NTLM Traffic
Value: Enable auditing for all accounts
Setting: Network security: Restrict NTLM: Audit NTLM authentication in this domain
Value:    Enable All


3) Identify source device that lockout occurred on

 

3.1) Event Comb


Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465


Still a useful tool in a pinch.

Please note: Built-in search for account lockout is not using the newer event IDs. To search newer IDs, add 4625 4740 4771 4768 4776 to the list


For details on these events, see

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=529

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=644

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4740

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=675

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4771

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=676

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4768

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=681

https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4776


EventCombMT-1.pngEventCombMT-2.png


All gathered events from selected domain controllers will be saved into text files in the temp folderevent.png


3.2) Lockout Status


Part of Account Lockout and Management Tools https://www.microsoft.com/en-us/download/details.aspx?id=18465


When you start tool you specify the user account to inspect.


Please note: If the lock device is a Domain Controller, you have to follow the trail until you get to the actual source device name


LockoutStatus.png


3.3) AD Audit


See https://www.manageengine.com/products/active-directory-audit


My personal favorite, AD Audit makes finding the source account that locks device super easy, just use built-in reports


ADAudit.jpg


4.1) Powershell

 

FindUserBadPwdAttempts

https://gallery.technet.microsoft.com/Troubleshoot-Account-Bad-4bf47940


Get-LockedOutLocation

https://gallery.technet.microsoft.com/scriptcenter/Get-LockedOutLocation-b2fd0cab


lock1.png 

4) Identify the source process that locked the account


4.1) NetWrix Account Lockout Examiner


See https://www.netwrix.com/account_lockout_examiner.html


Install NetWrix Account Lockout Examiner on another computer. After that run it and point to the device that generates lockouts.


Lockout.JPG


4.2) ADAudit


See https://www.manageengine.com/products/active-directory-audit


As I said before, my personal favorite. After finding source account that locks device using built-in reports, the Account Lockout Analyzer can show the source process that locks accounts


ADAudit3.jpg


5) Implement processes to prevent future lockouts


5.1 Windows Services, Scheduled Tasks and COM Objects

Utilize service accounts with strong non-expiring passwords or managed service accounts.

5.2 Drive Mappings

Do not map drives with explicit username and password. Utilize Group Policy User Drive Map Preference to map the drive mappings.

Drive-Map-1.png
Drive-Map-2.png


5.3 Logon Sessions

Implement RDP inactive/idling session logoff.


5.4 LAN Manager Authentication Level


Ensure that your LAN Manager Authentication Level is at the required level for your clients and authentication used.


5.5 Externally Exposed RDP


Install a tool such as RDP Guard to automatically block external brute-force attacks or better yet, set up a secure VPN and access RDP from within this VPN


5.6 Credential Manager


Disable the Credential Manager service. This will prevent users from saving/using stored passwords


Credential-Manager.jpg


5.7 Cached Credential


Remove cached credentials for both user and SYSTEM accounts 


For user accounts

rundll32.exe keymgr.dll,KRShowKeyMgr


For SYSTEM accounts

psexec -s -i -d rundll32.exe keymgr.dll,KRShowKeyMgr


Tips

If your account that you are using for the investigation is locking, rename your username for the duration of the investigation


Please do not forget to press the "Thumbs Up" button if this article was helpful and valuable for EE members.

It also provides me with positive feedback. Thank you!

21
9,915 Views
Shaun VermaakCOG Lead Engineer
CERTIFIED EXPERT
My name is Shaun Vermaak and I have always been fascinated with technology and how we use it to enhance our lives and business.

Comments (19)

Albert WidjajaIT Professional
CERTIFIED EXPERT

Commented:
This is awesome article :-)
Thanks for sharing !
Blue Street TechLast Knight
CERTIFIED EXPERT
Distinguished Expert 2018

Commented:
+1 great article and follow-up Shaun!
Tarik M. ZwainIndependent IT and Microsoft Specialist

Commented:
Absolutely great article!
I constantly debate with colleagues about password and lockout policies and how most hinder productivity and provide less security.  I sure wish I'd had your article to reference.  I do now.
Albert WidjajaIT Professional
CERTIFIED EXPERT

Commented:
@Shaun,

Regarding the Resetting the cached Creds for SYSTEM accounts
psexec -s -i -d....

Open in new window


Why do you need to use PSExec if you can do it using the cmd prompt RunDLL32.exe ?

Disable the Credential Manager service.
Does that can also reset or clear the currently saved credentials within the local OS or just Microsoft Application only?
Shaun VermaakCOG Lead Engineer
CERTIFIED EXPERT
Awarded 2017
Distinguished Expert 2019

Author

Commented:
The one is for the current user and the psexec is for system

No, it does not clear existing saved credentials

View More

Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.