Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Auditing one user. Keeps getting locked out.

Posted on 2008-10-24
11
Medium Priority
?
793 Views
Last Modified: 2012-05-05
How do I audit just one user. His user account keeps getting locked out and we have no idea why.

What should I audit etc?

Windows 2003 Server, XP SP3 Client.
0
Comment
Question by:Fernando
  • 3
  • 3
  • 3
  • +1
11 Comments
 
LVL 70

Assisted Solution

by:KCTS
KCTS earned 600 total points
ID: 22801076
You can't audit one user - not unless you create an OU for them exclusivly?
Set up your system to audit FAILURE on both Account Logon and Logon and then check the security log
0
 
LVL 35

Accepted Solution

by:
Joseph Daly earned 700 total points
ID: 22801094
If you check the logs on your domain controller it should give you should be able to see failed logon events and lockouts. I would download ALtools from microsofts website. This is very helpful because it gives you the time and domain controller where the user was locked out. This will help narrow your event log searches.

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
0
 

Author Comment

by:Fernando
ID: 22801106
I need to check thier security log right? I have done this and he has a heap of logon failures from other PC's / users in his home office... which never "logon" to his PC. They simply connect to his network. What do they all mean. That can't be locking his account on the domain surely?
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 7

Assisted Solution

by:pr0t0c0l12
pr0t0c0l12 earned 700 total points
ID: 22801121
The failed events should tell you who has been locked out and how many times that user tried to login.  If the user has a persistent software that is constantly asking to be authenticated then it will lock the account down.  Sometimes incredemail does that with accounts.  

Is the account an AD account? or LDAP account?  

Check the server logs and see if that helps you.  

0
 
LVL 70

Expert Comment

by:KCTS
ID: 22801126
If they are connection to a share and using an account to access the share then this in effect generates a log-on and can lock and account if too many attempts are made to access the share with a bad password.
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22801131
This is a domain account correct? If so you need to run the ALtools and put in his user account name. Once you do that it will tell you when the account lockout happend. Once you find that time then you can check the security logs on the domain controller for failed events. If you find them they will have specific category meanings for wether it was an interactive failure (wrong password entered) or a service failure (a service trying to start under his acocunt causing the failure)
0
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 22801134
Check this and it might help you understand other scenarios possibly locking you down.  

http://www.sakana.fr/blog/2007/02/27/active-directory-user-account-repeatedly-locked-for-no-reason/
0
 
LVL 35

Expert Comment

by:Joseph Daly
ID: 22801136
Does this user have any mapped drives or stored passwords its possible one of these could be causing all of his lockouts if he updated his password but is still using the old credentials.
0
 
LVL 7

Expert Comment

by:pr0t0c0l12
ID: 22801145
Also unplug network cable and reset password.  Determine if account gets locked out in a little while.  If it doesn't, then there is some software doing what I described.  If it gets locked out possibly he has a shared drive, network drive connected(or trying to connect) from some other place.  

Good luck
0
 

Author Comment

by:Fernando
ID: 22801165
It is an AD account. I think I have enough to go by for now. You guys are incredibly fast in replying. How can I give you all 500 points? hehe
0
 

Author Comment

by:Fernando
ID: 22801180
Thank you all for your help. Have agood day! :)
0

Featured Post

Veeam and MySQL: How to Perform Backup & Recovery

MySQL and the MariaDB variant are among the most used databases in Linux environments, and many critical applications support their data on them. Watch this recorded webinar to find out how Veeam Backup & Replication allows you to get consistent backups of MySQL databases.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you have done a reformat of your hard drive and proceeded to do a successful Windows XP installation, you may notice that a choice between two operating systems when you start up the machine. Here is how to get rid of this: Click Start Clic…
Learn about cloud computing and its benefits for small business owners.
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…
This lesson discusses how to use a Mainform + Subforms in Microsoft Access to find and enter data for payments on orders. The sample data comes from a custom shop that builds and sells movable storage structures that are delivered to your property. …

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question