• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 483
  • Last Modified:

How do I tell what is Locking a Domain Account?

The domain account I use to log into one of my domain controllers is being locked at random intervals today.  I have not changed anything or fired up any new services.  I did check all of the scheduled tasks and other places I know the account is being used in order to make sure the passwords were correct but it is still happening.  It is also at random times.  Sometimes it will go 30 minutes other times its 5 minutes and I can watch it and it will get 4 bad attempts and then reset as if something is getting the right password after so many attempts.  I checked with hte staff and no one is trying to remote in.  I need to see if there is an app out there that can tell me what is trying to use this account or where the lockout is orginating.  I am getting a little frustrated with this.
0
TheITGuy
Asked:
TheITGuy
2 Solutions
 
karstiemanCommented:
Set up your Active Directory Server to monitor unsuccessfull / successfull logons.
Use the eventviewer and check for unsuccessfull login attempts to your account.
In the log should be enough information to find what's causing your account to lock out.
0
 
jasin00Commented:
your logged on somewhere else. download pstools from microsoft. theres a util you can run in there from the command line and it'll tell you all the places a user is logged on. its freeware.
0
Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

 
TheITGuyAuthor Commented:
Pber,  I have that tools set but it is not helping pinpoing where the lockout is originating.  it is helpful in letting me know when it is locked so I can keep it un locked.
 
jasin00,  Nice try.  I will use this app in the future, however since this account is used to log into our domain controller it pretty much showed it was logged into every system on our network and said remotely next to it.  
0
 
alvin602Commented:
TheITGuy, I use the method jasin00 recommended all the time you just have to be careful not to scan for the same account you are currently logged in with, otherwise everytime you remotely scan a machine it will give you that logged in message.  Log into your PC with a different account than you are scanning for.
0
 
TheITGuyAuthor Commented:
Ok.. I am using my pc to do it this time instead of the domain controller.  Is it normal to be getting the attached code returned on everything it scans?  I would think that since I am logged in with a domain admin account it would be able to open the registry keys on everything.
 
 

Error opening HKEY_USERS for D4281
Unable to query resource logons
Error opening HKEY_USERS for D4303
Unable to query resource logons
Error opening HKEY_USERS for D4340
Unable to query resource logons
Error opening HKEY_USERS for D4511
Error opening HKEY_USERS for D4710

Open in new window

0
 
TheITGuyAuthor Commented:
OK.. It worked but it showed it was only logged into the domain controller that I already knew it was logged into so I guess that threory is out.  I locked the account to only be able to log into that server but it is still getting locked.  Nothing is in the event viewer on that server about the account so I dont think the problem is at the server.  I think it is something else trying to authenticate to the domain and failing.
0
 
PberSolutions ArchitectCommented:
Use eventcombMT from the account lockout tools:
Right click the Select to search and select: Get all DCs in domain
Right click the Select to search and hold shift and click the range so all DCs are highlighted.
Now slect Searches on the main menu, then Built in searches, then nt lockouts
Click Search, once each DC has been searched it will optn the directory were the files will be output.  Look through the text files looking for your account.  That should display the event and help tell you what computer and what time it locked out on.  From there you should be able to trace it back to the source of how it go locked out.
0
 
PberSolutions ArchitectCommented:
This line:
Now select Searches on the main menu, then Built in searches, then nt lockouts
should read this:
Now select Searches on the main menu, then Built in searches, then Account lockouts
0
 
TheITGuyAuthor Commented:
Ok.. I ran that and recieved back the log files which showed me the account lock outs for a couple of off site accounts, one printer account and then two lock outs for the account in question however they were from days ago.  It did not show a single lockout for today even though I know the account has been locked probably 10 times today alone.  I am learning a lot more about tracking down account lockouts but so far I have not figured this one out.  
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now