Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

AD account keeps locking out

Posted on 2009-03-31
10
Medium Priority
?
2,214 Views
Last Modified: 2013-12-04
I have a user account that is getting locked out about every 5secs, we have a lockout policy set on 5 invalid attempts.
The user has changed his password as per our password ageing policy and since then it keeps locking out. I'm assuming it's because there is another process that is trying to access his account using the old password so I looked in the event viewer on the DC and I don't see any events logged for the account locking

I have set the Domain policy to log all logon failures but the only event I see is for Success Audit, how do I get logon failures to display in the event viewer, and any other event I might need to track down the offending process?
0
Comment
Question by:BrianFord
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
10 Comments
 
LVL 7

Expert Comment

by:maze-uk
ID: 24029893
0
 
LVL 8

Expert Comment

by:dmarinenko
ID: 24029910
Under event viewr, right click on security, and go to properties.
Then under I believe filter, check the audity failed logins.

Also look under the services (Services.msc after clicking run in the start menu)
Make sure there aren't services running under that account
0
 

Author Comment

by:BrianFord
ID: 24029915
I have that tool, but it doesn't tell me where the process that's trying to logon is coming from, it just lets me un-lockit, unless I'm using the tool wrong
0
Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

 

Author Comment

by:BrianFord
ID: 24029945
I have tried the filter, there are NO Audit Failures being logged
0
 
LVL 7

Accepted Solution

by:
maze-uk earned 1000 total points
ID: 24029978
follow the white rabbit, brian :-)

ALTools.exe contains tools that assist you in managing accounts and in troubleshooting account lockouts. Use these tools in conjunction with the Account Passwords and Policies white paper.
ALTools.exe includes:
AcctInfo.dll. Helps isolate and troubleshoot account lockouts and to change a user's password on a domain controller in that user's site. It works by adding new property pages to user objects in the Active Directory Users and Computers Microsoft Management Console (MMC).

ALockout.dll. On the client computer, helps determine a process or application that is sending wrong credentials.
Caution: Do not use this tool on servers that host network applications or services. Also, you should not use ALockout.dll on Exchange servers, because it may prevent the Exchange store from starting.

ALoInfo.exe. Displays all user account names and the age of their passwords.

EnableKerbLog.vbs. Used as a startup script, allows Kerberos to log on to all your clients that run Windows 2000 and later.

EventCombMT.exe. Gathers specific events from event logs of several different machines to one central location.

LockoutStatus.exe. Determines all the domain controllers that are involved in a lockout of a user in order to assist in gathering the logs. LockoutStatus.exe uses the NLParse.exe tool to parse Netlogon logs for specific Netlogon return status codes. It directs the output to a comma-separated value (.csv) file that you can sort further, if needed.

NLParse.exe. Used to extract and display desired entries from the Netlogon log files.
0
 

Author Comment

by:BrianFord
ID: 24030116
Thanks maze, I guess I need to learn how to use this tool :)
however, how come I don't see any audit failures showing in the event log?
 
0
 

Author Closing Comment

by:BrianFord
ID: 31564869
Thanks, I managed to find the offending process :)
0
 
LVL 7

Expert Comment

by:maze-uk
ID: 24039806
did you check all the DCs? Use EventcombMT for that: gather specific events on all (or limited set) DCs...
0
 

Author Comment

by:BrianFord
ID: 24039892
yes, I managed to find the offending connection, thanks for your help :)
0
 
LVL 5

Expert Comment

by:KETTANEH
ID: 24730230
i've faced similar issue with one user before. his machine was infected with a virus.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here's a look at newsworthy articles and community happenings during the last month.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question