Link to home
Start Free TrialLog in
Avatar of jdouthit
jdouthitFlag for United States of America

asked on

How to tell what is locking an account out

I have a service account that runs scheduled tasks and services.  It is being locked out every Saturday at 11 PM, but I don't know what is locking it out.  I'm needing to know what machine/IP the invalid attempts are coming from.  I know Microsoft has the Account Lockout & Management tools, but I'm running Active Directory on Server 2008.  Will these tools still work?  If so how do I put them in place?  Is there a better option out there?
Avatar of Cuteadder
Flag of Australia image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Mike Kline
Those tools should still work...haven't put them on a 2008 box myself.   A network trace can also help in these situations (netmon or wireshark).

Not sure if you have seen this blog but it is a good overview


Avatar of jdouthit


What criteria should I be entering in eventcomb to search for the failed attempts?  I don't know what Event ID this would produce.
there's a preset for looking for locked out accounts and the events around it...

do that and post the results
I used the preset search for locked accounts on event comb, but it didn't find anything.  The account was locked out on 2-12-11.  Our event logs fill up so fast we usually only have items for the last 4-6 hours on a business day.
unlock the account and next time it locks out jump on the issue..