Troubleshooting Methods

One of the domain users complains that his account is randomly locked out from time to time.
There are no drives mapped on his workstation and he cannot identify the pattern.
Could you direct to a troubleshooting web page or give some ideas of what could be checked for this sort of problem?
This would speed up the solution by saving on the research time.

Thank You.

LVL 6
sstoukAsked:
Who is Participating?
 
dr_binksConnect With a Mentor Commented:
if somone told me that their account was being locked out and the drive mappings are screwed; I would do diagnostics on the domain controllers, and fileserver(s) and ask the user to log off, restart the PC and login again. Failing that I would analys all the traffic on the network using somthing like www.ethereal.com or http://www.asl-fluke.co.uk/network_inspector/ (an expensive but prefered method -- not the hand held device but the monitoring software).

Now dont take my word for this.. I am in no means an "expert" in networking, I have only been a net admin for the company I work at scince last september and I have had no formal training. To train myself I read every article on networking and network security I can lay my hands on (usually microsoft bulletins an such) and they all say that a "guru" network admin will be constantly monitoring the traffic and know what "normal" network traffic looks like on his/her and that the "guru" network admin would not configure account lockouts in GPOs to save on 'help desk support' and malware will be spottedin routine taffic monitoring.

One last thing,to quote an article on network security I read... "if your network has been compromised, you cannot trust your auditing logs".

I hope this helps

~Binks
0
 
dr_binksCommented:
erm.. the account lockout shoudl be caused by a number of unsuccessful login attempts. I was reading a file fromt he MS bulletin that said if users frequantly get account lockouts.. say when they start.. work then it might be malware on the system trying to 'crack' accounts.
0
 
sstoukAuthor Commented:
I understand that there might be multiple reasons as you indicated - that was why I created this question.
Is there any monitoring that I could enable to catch where the lockount comes from and from what application or process?
What would you do if the user tells you the account is locked out periodically and for no reason and there are no mappings existing or remembered on his PC?
What monitoring tools would you use to catch this?
What is someone (just as an example) put a script anywhere on the domain, using his login name with incorrect password - we have  3000+ Domain users here...
How would you catch that?
Obviously, I would start with checking the Security event log on all Domain Controllers (we have 12)... which is quite a work to be done...
Do you have any suggesstions or know of any existing methods of troubleshooting this kind of problem?
Thanks.
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
sstoukAuthor Commented:
Thanks.
We have solved the problem by generating a report based on the Security Event Log from every domain controller that we have.
We installed Microsoft Operations Manager 2005 in our environment and created a rule to catch any account locks.
Each event goes into the MS SQL Database and I created a script, which parses the MOM 2005 database and generates daily reports on the multiple different security events, "Account Lockouts, Login Failures, Membership changes etc". Overall around 50 or so reports.
These could be analyzed and checked as to the source of the problem, because each log record lists the IP address from where the lockout was generated and the attempted user name, type of the logon and the process, generated an event.

It gives enough information to troubleshoot and find the cause of the lockouts.

Thank you for your attention to this question.
0
 
dr_binksCommented:
did you actually find the cause of the problem?
0
 
sstoukAuthor Commented:
The eventlogs rolled over and there is no way to see the possible causes at this time.
The current security audit system that we implemented, should allow us to have the data in hands when this happens again.
I am waiting for the problem  to re-appear to analyze it.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.