Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 799
  • Last Modified:

Auditing one user. Keeps getting locked out.

How do I audit just one user. His user account keeps getting locked out and we have no idea why.

What should I audit etc?

Windows 2003 Server, XP SP3 Client.
0
Fernando
Asked:
Fernando
  • 3
  • 3
  • 3
  • +1
3 Solutions
 
KCTSCommented:
You can't audit one user - not unless you create an OU for them exclusivly?
Set up your system to audit FAILURE on both Account Logon and Logon and then check the security log
0
 
Joseph DalyCommented:
If you check the logs on your domain controller it should give you should be able to see failed logon events and lockouts. I would download ALtools from microsofts website. This is very helpful because it gives you the time and domain controller where the user was locked out. This will help narrow your event log searches.

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
0
 
FernandoAuthor Commented:
I need to check thier security log right? I have done this and he has a heap of logon failures from other PC's / users in his home office... which never "logon" to his PC. They simply connect to his network. What do they all mean. That can't be locking his account on the domain surely?
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pr0t0c0l12Commented:
The failed events should tell you who has been locked out and how many times that user tried to login.  If the user has a persistent software that is constantly asking to be authenticated then it will lock the account down.  Sometimes incredemail does that with accounts.  

Is the account an AD account? or LDAP account?  

Check the server logs and see if that helps you.  

0
 
KCTSCommented:
If they are connection to a share and using an account to access the share then this in effect generates a log-on and can lock and account if too many attempts are made to access the share with a bad password.
0
 
Joseph DalyCommented:
This is a domain account correct? If so you need to run the ALtools and put in his user account name. Once you do that it will tell you when the account lockout happend. Once you find that time then you can check the security logs on the domain controller for failed events. If you find them they will have specific category meanings for wether it was an interactive failure (wrong password entered) or a service failure (a service trying to start under his acocunt causing the failure)
0
 
pr0t0c0l12Commented:
Check this and it might help you understand other scenarios possibly locking you down.  

http://www.sakana.fr/blog/2007/02/27/active-directory-user-account-repeatedly-locked-for-no-reason/
0
 
Joseph DalyCommented:
Does this user have any mapped drives or stored passwords its possible one of these could be causing all of his lockouts if he updated his password but is still using the old credentials.
0
 
pr0t0c0l12Commented:
Also unplug network cable and reset password.  Determine if account gets locked out in a little while.  If it doesn't, then there is some software doing what I described.  If it gets locked out possibly he has a shared drive, network drive connected(or trying to connect) from some other place.  

Good luck
0
 
FernandoAuthor Commented:
It is an AD account. I think I have enough to go by for now. You guys are incredibly fast in replying. How can I give you all 500 points? hehe
0
 
FernandoAuthor Commented:
Thank you all for your help. Have agood day! :)
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 3
  • 3
  • 3
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now