Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 837
  • Last Modified:

Account Lockout and no Auditing Records

We just went through a domain wide password change and everything went well except for a few users.  Randomly there account get locked out.  We have been unable to track down this problem.  When I take a look at the domain controllers for these events I am unable to find them.  I took a test domain account and got it to lock out but I am unable to find the event record on the Domain Controllers that show the lockout.  Any ideas?
0
thomashospital
Asked:
thomashospital
1 Solution
 
Dusan_BajicCommented:
You probably have some services or tasks running with that accounts credentials and old password. Make sure that you audit failed logons:

Open GPMC
Select Default Domain Controllers Policy (or whichever Domain Controllers Policy is used within your environment)
Click on the Edit button
Select Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy
Audit account logon events: failure
Audit logon events: failure
0
 
Karl12347Commented:
Use the following tool from microsoft to search all you domain controller event logs for event with that users name.
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

EventCombMT.exe

Found this very usefull in the past.

Generally the problem will be due to the user being logged onto 2 workstations one will have the old password and they will be getting locked out frequently when using the new password. This is because the other logged on machine will still be communcating with the domain controller.

Same thing happens with network drive mappings using the old credentials.

Hope this helps.
0
 
Sinder255248Commented:
Have you enabled Account Management for Failure in the Domain Controller Security policy?

Also if you need to track it down you can enable Netlogon loggins.  Download the LockoutStatus tool from Microsoft, search on the target, right click on the DC you wish to monitor, and click Enable Netlogon Logging...  leave it until this account locks out then go view the log through this tool.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now