Why Active Directory accounts locked-out even no password policy defined

certuran
certuran used Ask the Experts™
on
Why Active Directory accounts locked-out even no password policy defined.
Quantity of locked-out account increasing rapidly.
and how can unlock them with bulk transaction?
Please help
Thank you
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Commented:

Configure below recommended setting & a/c will never lock. But when problem is resolved you can re configure the policy as removing this policy open lot of security vulnerbility.

Account lockout duration = Not Defined
Account lockout threshold = 0
Reset account lockout counter after = Not defined

Ru gpupdate /force
Restart domain machine once to apply the policy.

http://www.windowsecurity.com/articles/Implementing-Troubleshooting-Account-Lockout.html
Account lockout can occur with different reason password change but not replicated,mapped network drive password changed,worm(conficker),spoofing etc. You can download account lock out tool & try to troubleshoot.
http://www.microsoft.com/downloads/details.aspx?familyid=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
Troubleshooting Account lockout issue
http://blogs.technet.com/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx 
It can be due to conficker worm. Please refer below link.
http://www.experts-exchange.com/Software/Server_Software/File_Servers/Active_Directory/Q_24873815.html
 Conficker is the well known worm which locks the account & MS has announced huge prize money.
If there is conficker in single system,lockout problem will happen until the worm has been removed completely from the network. Use updated antivirus & patch.
 
 

 
bluntTonyHead of ICT
Top Expert 2009
Commented:

When you say no password policy is defined, where are you looking? on workstations or the domain controller(s)? It needs to be on the domain controllers.

Run rsop.msc on a domain controller and browse to:

Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policies

Is anything defined here at all? Does it say what GPO is applying any settings?

Also check the security event logs on your DCs and look at the failied logon events preceding the account lockouts. Check the source workstation and the logon type code:

http://www.windowsecurity.com/articles/Logon-Types.html

This will give you an idea of the source and the cause. As Awinish says, random and widespread account lockouts can be due to a conficker worm infection. Ensure your AV software is all up to date and run a detection/removal tool. There are a number of free ones.

Sophos Conficker Detection Removal (with step-by-step) : http://www.sophos.com/products/free-tools/conficker-removal-tool.html

Tony

Author

Commented:
can you suggest a very good tool to examine the unlock or to use for some active directory transaction and analysis. I have doownloaded Netwrix but it did not see the account as a locked-out.
bluntTonyHead of ICT
Top Expert 2009

Commented:
It really is simply a case of gathering the security logs from the DCs in question for the account lockout events and the preceding failed logon events to help you determine the source/cause. As stated above, determining the source and the logon type for the failed logons will help (see links above)

The account lockout tools linked by Awinish provide tools for gathering the logs in question:

http://www.microsoft.com/downloads/details.aspx?FamilyID=7af2e69c-91f3-4e63-8629-b999adde0b9e&displaylang=en

Particularly eventcomb.exe and lockoutstatus.exe will help you gather information needed to help you troubleshoot.

Tony

Author

Commented:
In Active Directory, I assigned the task that remove Lock-out to the organizational units. I could do bulk transaction.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial