<

Finding root cause of Account lockouts

Published on
26,356 Points
16,556 Views
3 Endorsements
Last Modified:
Approved
Community Pick
To find the source of an account lockout, look in the local Event Viewer>Security, and look at the Failure Audits, for any that match either SYSTEM, or the UserID in question. If you find any, open the log entry, and you will see a Logon Type entry, with a numerical Value. That value is the key to the source of the lockout. See the following article for an excellent description of the codes.

Logon Type Codes Revealed
http://www.windowsecurity.com/articles/Logon-Types.html

Also, you can install the Account Lockout Tools from Microsoft.

Download details: Account Lockout and Management Tools      
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E
      
Also, Microsoft recommends to use this in conjunction with Net Logon Debug Logging enabled as well. Personally, I have had results without having to review that log, so I will concentrate on these tools alone...

Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

As for the Account Lockout Tools, there are two (that I think are the most beneficial), ALockout.zip (which contains alockout.dll, and appinit.reg) and AloInfo.exe. These will give you the most information about the local system.

Alockout.Zip
Extract both of these, and extract to C:\Altools. Merge appinit.reg into the registry, and reboot the PC. Once installed , the next time a lockout occurs, it will produce the logfile at C:\Windows\Debug. It can sometimes be cryptic to look at, but if you have a corresponding failure in the Security Log, you can match the timestamps to a specific process. Remember to unregister the alockout.dll once you are finished tracking it down. This can be done by going to Start>Run>Regsvr32 /u <pathtofile\alockout.dll, and delete the DLL from the directory.

AloInfo
This can be used from a command prompt, to easily dump information about Stored Credentials for Drive Mappings and Services. Go to Start>Run>Cmd.exe, and enter the following (you can copy/paste both lines, and hit enter), and Notepad.exe will open the newly created log file.

aloinfo.exe /stored /server:\computername >lockout.txt
notepad.exe lockout.txt

From there, you can review the logs to see if you can identify what is configured to use the credentials that keep locking out.

Once you have the source of the lockout, it will help to find out where you should be looking for the problem. These are some of the most common places to look.

Look through the Services, for anything running under their UserID (this is the same information that AloInfo.exe gives you, just doing it manually). Might need to add the Log On As column in the view, by clicking on View>Customize.
Look at Mapped Drives that are User Created (not created by Logon Script). Start>Run>Cmd.exe, and enter net use. You will see a list of resources, that the local machine will have a connection to, whether it is a Mapped Drive, or simply a UNC share.
Start>Run>control keymgr.dll, and remove any entries listed, for stored password entries.
Look in Control Panel>Scheduled Tasks. Any errors saying it The Scheduled Task did not run because an incorrect username or password was entered. Either supply alternate credentials, or delete the job.

On a Domain, and the lockouts are not occurring on the local machine,  the logs from the Domain Controller will need to be reviewed, to find the source of the problem. In the Security Logs, there will be similar entries, but there will be a Workstation Name value, which should give you the remote PC, or IP address. Once you have the source, then you can go through the steps above, to find the source.

Logs can be an extremely powerful tool to find most common problems. When Windows has a problem, usually it will tell you where the problem is, you just need to be able to find it....

Happy hunting!!

John aka johnb6767
3
Comment
Author:johnb6767
0 Comments

Featured Post

Cloud Class® Course: Amazon Web Services - Basic

Are you thinking about creating an Amazon Web Services account for your business? Not sure where to start? In this course you’ll get an overview of the history of AWS and take a tour of their user interface.

Join & Write a Comment

Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
In this video, viewers will be given step by step instructions on adjusting mouse, pointer and cursor visibility in Microsoft Windows 10. The video seeks to educate those who are struggling with the new Windows 10 Graphical User Interface. Change Cu…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month