Solved

Account Lockout and no Auditing Records

Posted on 2008-10-23
3
815 Views
Last Modified: 2008-10-23
We just went through a domain wide password change and everything went well except for a few users.  Randomly there account get locked out.  We have been unable to track down this problem.  When I take a look at the domain controllers for these events I am unable to find them.  I took a test domain account and got it to lock out but I am unable to find the event record on the Domain Controllers that show the lockout.  Any ideas?
0
Comment
Question by:thomashospital
3 Comments
 
LVL 7

Accepted Solution

by:
Dusan_Bajic earned 250 total points
ID: 22786136
You probably have some services or tasks running with that accounts credentials and old password. Make sure that you audit failed logons:

Open GPMC
Select Default Domain Controllers Policy (or whichever Domain Controllers Policy is used within your environment)
Click on the Edit button
Select Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy
Audit account logon events: failure
Audit logon events: failure
0
 
LVL 3

Expert Comment

by:Karl12347
ID: 22786153
Use the following tool from microsoft to search all you domain controller event logs for event with that users name.
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

EventCombMT.exe

Found this very usefull in the past.

Generally the problem will be due to the user being logged onto 2 workstations one will have the old password and they will be getting locked out frequently when using the new password. This is because the other logged on machine will still be communcating with the domain controller.

Same thing happens with network drive mappings using the old credentials.

Hope this helps.
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 22786164
Have you enabled Account Management for Failure in the Domain Controller Security policy?

Also if you need to track it down you can enable Netlogon loggins.  Download the LockoutStatus tool from Microsoft, search on the target, right click on the DC you wish to monitor, and click Enable Netlogon Logging...  leave it until this account locks out then go view the log through this tool.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question