Server 2003 Account Lockouts

splitrockit
splitrockit used Ask the Experts™
on
Users are getting locked out. We are looking for a third party program that will give us a better explanation than the event viewer does.as to why the lockout is occurring.
Any suggestions for a program that can do this?  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
i_t

Commented:
I don't know about third party programs, but look at yer gpos
http://technet.microsoft.com/en-us/library/cc757692(WS.10).aspx
Distinguished Expert 2017

Commented:
Lockout occurs because of wrong password.

The only GPO that enforces password policies is the default domain policy.
A possible issue is that you require password changes and users have terminal server access.  A user who has a disconnected session on the terminal server and then a user changes their password outside that session will cause their account to get locked out.
Another option is that a user has saved credentials (control keymgr.dll), but the user has since changed their password.  Whenever access to the resource reflected in the keymgr (control keymgr.dll) is attempted the wrong credentials are transmitted which result in the lockout of the account.
DC event log/security.

Author

Commented:
No changes has been made to the passwords. I understand the GPO lockout policy. What I am trying to determine is why the lockout occurred. The event log explanation is vague at best. I am looking for a utility or program that can expound on the event log with more information on why the lockout occurred. Or a program that can monitor the lockout and give a more detailed explanation.  
Exploring ASP.NET Core: Fundamentals

Learn to build web apps and services, IoT apps, and mobile backends by covering the fundamentals of ASP.NET Core and  exploring the core foundations for app libraries.

If you find something, let me know.  Lockouts are pretty straight forward, as indicated above.
Distinguished Expert 2017

Commented:
Try the WMI explorer http://www.ks-soft.net/hostmon.eng/wmi/index.htm
After connecting to the DC you can query the security event log related to the username whose account is being locked out. The information should include the source from which the request is being seen as well as the type of request.
Top Expert 2009
Commented:
Lock out ONLY happens when the password has been attempted exceeding number of the allowed attempts. Ex: your AD set to allow user to try 5 times before it's locked out. If a user failed to give the correct password 5 times, the account is locked. Unless the admin locks user account manually or some other scripts (with user credential) exceeds 5 attempts, most of the time it causes by the "lost minded" user. You can set account audit to find out from where the attemps occur (computer name or network...) so you can advance the investigation.

K
Top Expert 2009

Commented:

Commented:
What are the event log errors?

Those should suffice with knowledge of AD and kerberos.

See if your users are trying to contact the server via NTLMhash or LMhash authentication. As of Service pack 2, a 2003 server is not compatible with NTLM or LM hash authentication and could lock out your users.

Here is an example:

http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Server/Windows_2003_Active_Directory/Q_23132123.html

Author

Commented:
Thanks

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial