?
Solved

Account Lockout and no Auditing Records

Posted on 2008-10-23
3
Medium Priority
?
828 Views
Last Modified: 2008-10-23
We just went through a domain wide password change and everything went well except for a few users.  Randomly there account get locked out.  We have been unable to track down this problem.  When I take a look at the domain controllers for these events I am unable to find them.  I took a test domain account and got it to lock out but I am unable to find the event record on the Domain Controllers that show the lockout.  Any ideas?
0
Comment
Question by:thomashospital
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 7

Accepted Solution

by:
Dusan_Bajic earned 750 total points
ID: 22786136
You probably have some services or tasks running with that accounts credentials and old password. Make sure that you audit failed logons:

Open GPMC
Select Default Domain Controllers Policy (or whichever Domain Controllers Policy is used within your environment)
Click on the Edit button
Select Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy
Audit account logon events: failure
Audit logon events: failure
0
 
LVL 3

Expert Comment

by:Karl12347
ID: 22786153
Use the following tool from microsoft to search all you domain controller event logs for event with that users name.
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

EventCombMT.exe

Found this very usefull in the past.

Generally the problem will be due to the user being logged onto 2 workstations one will have the old password and they will be getting locked out frequently when using the new password. This is because the other logged on machine will still be communcating with the domain controller.

Same thing happens with network drive mappings using the old credentials.

Hope this helps.
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 22786164
Have you enabled Account Management for Failure in the Domain Controller Security policy?

Also if you need to track it down you can enable Netlogon loggins.  Download the LockoutStatus tool from Microsoft, search on the target, right click on the DC you wish to monitor, and click Enable Netlogon Logging...  leave it until this account locks out then go view the log through this tool.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
A hard and fast method for reducing Active Directory Administrators members.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question