<

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x

Finding root cause of Account lockouts

Published on
26,791 Points
16,991 Views
3 Endorsements
Last Modified:
Approved
Community Pick
To find the source of an account lockout, look in the local Event Viewer>Security, and look at the Failure Audits, for any that match either SYSTEM, or the UserID in question. If you find any, open the log entry, and you will see a Logon Type entry, with a numerical Value. That value is the key to the source of the lockout. See the following article for an excellent description of the codes.

Logon Type Codes Revealed
http://www.windowsecurity.com/articles/Logon-Types.html

Also, you can install the Account Lockout Tools from Microsoft.

Download details: Account Lockout and Management Tools      
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E
      
Also, Microsoft recommends to use this in conjunction with Net Logon Debug Logging enabled as well. Personally, I have had results without having to review that log, so I will concentrate on these tools alone...

Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626

As for the Account Lockout Tools, there are two (that I think are the most beneficial), ALockout.zip (which contains alockout.dll, and appinit.reg) and AloInfo.exe. These will give you the most information about the local system.

Alockout.Zip
Extract both of these, and extract to C:\Altools. Merge appinit.reg into the registry, and reboot the PC. Once installed , the next time a lockout occurs, it will produce the logfile at C:\Windows\Debug. It can sometimes be cryptic to look at, but if you have a corresponding failure in the Security Log, you can match the timestamps to a specific process. Remember to unregister the alockout.dll once you are finished tracking it down. This can be done by going to Start>Run>Regsvr32 /u <pathtofile\alockout.dll, and delete the DLL from the directory.

AloInfo
This can be used from a command prompt, to easily dump information about Stored Credentials for Drive Mappings and Services. Go to Start>Run>Cmd.exe, and enter the following (you can copy/paste both lines, and hit enter), and Notepad.exe will open the newly created log file.

aloinfo.exe /stored /server:\computername >lockout.txt
notepad.exe lockout.txt

From there, you can review the logs to see if you can identify what is configured to use the credentials that keep locking out.

Once you have the source of the lockout, it will help to find out where you should be looking for the problem. These are some of the most common places to look.

Look through the Services, for anything running under their UserID (this is the same information that AloInfo.exe gives you, just doing it manually). Might need to add the Log On As column in the view, by clicking on View>Customize.
Look at Mapped Drives that are User Created (not created by Logon Script). Start>Run>Cmd.exe, and enter net use. You will see a list of resources, that the local machine will have a connection to, whether it is a Mapped Drive, or simply a UNC share.
Start>Run>control keymgr.dll, and remove any entries listed, for stored password entries.
Look in Control Panel>Scheduled Tasks. Any errors saying it The Scheduled Task did not run because an incorrect username or password was entered. Either supply alternate credentials, or delete the job.

On a Domain, and the lockouts are not occurring on the local machine,  the logs from the Domain Controller will need to be reviewed, to find the source of the problem. In the Security Logs, there will be similar entries, but there will be a Workstation Name value, which should give you the remote PC, or IP address. Once you have the source, then you can go through the steps above, to find the source.

Logs can be an extremely powerful tool to find most common problems. When Windows has a problem, usually it will tell you where the problem is, you just need to be able to find it....

Happy hunting!!

John aka johnb6767
3
Comment
Author:johnb6767
0 Comments

Featured Post

PMI ACP® Project Management

Prepare for the PMI Agile Certified Practitioner (PMI-ACP)® exam, which formally recognizes your knowledge of agile principles and your skill with agile techniques.

Join & Write a Comment

This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

Keep in touch with Experts Exchange

Tech news and trends delivered to your inbox every month