Solved

Account Lockout and no Auditing Records

Posted on 2008-10-23
3
822 Views
Last Modified: 2008-10-23
We just went through a domain wide password change and everything went well except for a few users.  Randomly there account get locked out.  We have been unable to track down this problem.  When I take a look at the domain controllers for these events I am unable to find them.  I took a test domain account and got it to lock out but I am unable to find the event record on the Domain Controllers that show the lockout.  Any ideas?
0
Comment
Question by:thomashospital
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 7

Accepted Solution

by:
Dusan_Bajic earned 250 total points
ID: 22786136
You probably have some services or tasks running with that accounts credentials and old password. Make sure that you audit failed logons:

Open GPMC
Select Default Domain Controllers Policy (or whichever Domain Controllers Policy is used within your environment)
Click on the Edit button
Select Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy
Audit account logon events: failure
Audit logon events: failure
0
 
LVL 3

Expert Comment

by:Karl12347
ID: 22786153
Use the following tool from microsoft to search all you domain controller event logs for event with that users name.
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

EventCombMT.exe

Found this very usefull in the past.

Generally the problem will be due to the user being logged onto 2 workstations one will have the old password and they will be getting locked out frequently when using the new password. This is because the other logged on machine will still be communcating with the domain controller.

Same thing happens with network drive mappings using the old credentials.

Hope this helps.
0
 
LVL 8

Expert Comment

by:Sinder255248
ID: 22786164
Have you enabled Account Management for Failure in the Domain Controller Security policy?

Also if you need to track it down you can enable Netlogon loggins.  Download the LockoutStatus tool from Microsoft, search on the target, right click on the DC you wish to monitor, and click Enable Netlogon Logging...  leave it until this account locks out then go view the log through this tool.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A hard and fast method for reducing Active Directory Administrators members.
Uncontrolled local administrators groups within any organization pose a huge security risk. Because these groups are locally managed it becomes difficult to audit and maintain them.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question