Link to home
Start Free TrialLog in
Avatar of jdouthit
jdouthitFlag for United States of America

asked on

How to tell what is locking an account out

I have a service account that runs scheduled tasks and services.  It is being locked out every Saturday at 11 PM, but I don't know what is locking it out.  I'm needing to know what machine/IP the invalid attempts are coming from.  I know Microsoft has the Account Lockout & Management tools, but I'm running Active Directory on Server 2008.  Will these tools still work?  If so how do I put them in place?  Is there a better option out there?
ASKER CERTIFIED SOLUTION
Avatar of Cuteadder
Cuteadder
Flag of Australia image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mike Kline
Those tools should still work...haven't put them on a 2008 box myself.   A network trace can also help in these situations (netmon or wireshark).

Not sure if you have seen this blog but it is a good overview   http://blogs.technet.com/b/instan/archive/2009/09/01/troubleshooting-account-lockout-the-pss-way.aspx?wa=wsignin1.0

Thanks

Mike
Avatar of jdouthit

ASKER

What criteria should I be entering in eventcomb to search for the failed attempts?  I don't know what Event ID this would produce.
there's a preset for looking for locked out accounts and the events around it...

do that and post the results
I used the preset search for locked accounts on event comb, but it didn't find anything.  The account was locked out on 2-12-11.  Our event logs fill up so fast we usually only have items for the last 4-6 hours on a business day.
unlock the account and next time it locks out jump on the issue..